Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BzK8rQh2O3.exe

Overview

General Information

Sample name:BzK8rQh2O3.exe
renamed because original name is a hash value
Original sample name:03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe
Analysis ID:1588590
MD5:de74305f29857f83bc99d71524a8842b
SHA1:dd587bd360b681b2ec73bb7bcfc871f8fe981ae0
SHA256:03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc
Tags:exeWormm0yvuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates files in the system32 config directory
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Uncommon Svchost Parent Process
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • BzK8rQh2O3.exe (PID: 3748 cmdline: "C:\Users\user\Desktop\BzK8rQh2O3.exe" MD5: DE74305F29857F83BC99D71524A8842B)
    • svchost.exe (PID: 5228 cmdline: "C:\Users\user\Desktop\BzK8rQh2O3.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • armsvc.exe (PID: 2412 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: 224A86FD89B67F5874BE745F454A29D5)
  • alg.exe (PID: 4820 cmdline: C:\Windows\System32\alg.exe MD5: AFF3175576D4CDBFB3592C3E3BEE84D7)
  • AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)
  • AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)
  • AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)
  • AppVClient.exe (PID: 1608 cmdline: C:\Windows\system32\AppVClient.exe MD5: DCB9DA31B5D9BF73EFE42CD201A3C555)
  • FXSSVC.exe (PID: 7064 cmdline: C:\Windows\system32\fxssvc.exe MD5: BD4426E495F8ADB5F861A87A8F767BF5)
  • elevation_service.exe (PID: 7224 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: 01AF1FD4DAF4AD21FE19952B19C40DC2)
  • maintenanceservice.exe (PID: 7268 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: FF9BB8830745BF559EF36B064C54358D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2005006372.0000000002D10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000A.00000002.2003602986.00000000002D0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.2.svchost.exe.2d0000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        10.2.svchost.exe.2d0000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Execution of Suspicious File Type Extension
          Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\BzK8rQh2O3.exe", CommandLine: "C:\Users\user\Desktop\BzK8rQh2O3.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BzK8rQh2O3.exe", ParentImage: C:\Users\user\Desktop\BzK8rQh2O3.exe, ParentProcessId: 3748, ParentProcessName: BzK8rQh2O3.exe, ProcessCommandLine: "C:\Users\user\Desktop\BzK8rQh2O3.exe", ProcessId: 5228, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\BzK8rQh2O3.exe", CommandLine: "C:\Users\user\Desktop\BzK8rQh2O3.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BzK8rQh2O3.exe", ParentImage: C:\Users\user\Desktop\BzK8rQh2O3.exe, ParentProcessId: 3748, ParentProcessName: BzK8rQh2O3.exe, ProcessCommandLine: "C:\Users\user\Desktop\BzK8rQh2O3.exe", ProcessId: 5228, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-11T02:51:58.092153+010020516511A Network Trojan was detected192.168.2.4576181.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-11T02:50:06.393768+010020516491A Network Trojan was detected192.168.2.4651091.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-11T02:50:03.847049+010020516481A Network Trojan was detected192.168.2.4533491.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-11T02:49:57.909523+010020181411A Network Trojan was detected54.244.188.17780192.168.2.449730TCP
          2025-01-11T02:50:03.763330+010020181411A Network Trojan was detected44.221.84.10580192.168.2.449736TCP
          2025-01-11T02:50:45.124526+010020181411A Network Trojan was detected18.141.10.10780192.168.2.449755TCP
          2025-01-11T02:50:48.867179+010020181411A Network Trojan was detected34.246.200.16080192.168.2.449759TCP
          2025-01-11T02:50:49.525304+010020181411A Network Trojan was detected34.227.7.13880192.168.2.449760TCP
          2025-01-11T02:50:52.151278+010020181411A Network Trojan was detected13.251.16.15080192.168.2.449764TCP
          2025-01-11T02:50:55.203379+010020181411A Network Trojan was detected35.164.78.20080192.168.2.449791TCP
          2025-01-11T02:50:56.180580+010020181411A Network Trojan was detected3.94.10.3480192.168.2.449800TCP
          2025-01-11T02:51:00.242871+010020181411A Network Trojan was detected18.246.231.12080192.168.2.449825TCP
          2025-01-11T02:51:13.607166+010020181411A Network Trojan was detected47.129.31.21280192.168.2.449915TCP
          2025-01-11T02:51:19.427594+010020181411A Network Trojan was detected3.254.94.18580192.168.2.449961TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-11T02:49:57.909523+010020377711A Network Trojan was detected54.244.188.17780192.168.2.449730TCP
          2025-01-11T02:50:03.763330+010020377711A Network Trojan was detected44.221.84.10580192.168.2.449736TCP
          2025-01-11T02:50:45.124526+010020377711A Network Trojan was detected18.141.10.10780192.168.2.449755TCP
          2025-01-11T02:50:48.867179+010020377711A Network Trojan was detected34.246.200.16080192.168.2.449759TCP
          2025-01-11T02:50:49.525304+010020377711A Network Trojan was detected34.227.7.13880192.168.2.449760TCP
          2025-01-11T02:50:52.151278+010020377711A Network Trojan was detected13.251.16.15080192.168.2.449764TCP
          2025-01-11T02:50:55.203379+010020377711A Network Trojan was detected35.164.78.20080192.168.2.449791TCP
          2025-01-11T02:50:56.180580+010020377711A Network Trojan was detected3.94.10.3480192.168.2.449800TCP
          2025-01-11T02:51:00.242871+010020377711A Network Trojan was detected18.246.231.12080192.168.2.449825TCP
          2025-01-11T02:51:13.607166+010020377711A Network Trojan was detected47.129.31.21280192.168.2.449915TCP
          2025-01-11T02:51:19.427594+010020377711A Network Trojan was detected3.254.94.18580192.168.2.449961TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-11T02:49:57.902719+010028508511Malware Command and Control Activity Detected192.168.2.44973054.244.188.17780TCP
          2025-01-11T02:51:01.113608+010028508511Malware Command and Control Activity Detected192.168.2.44983054.244.188.17780TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: BzK8rQh2O3.exeAvira: detected
          Antivirus detection for URL or domain
          Source: http://54.244.188.177/sqhuoucbvpfptwAvira URL Cloud: Label: malware
          Source: http://54.244.188.177/sqhuoucbvpfptwWAvira URL Cloud: Label: malware
          Source: http://54.244.188.177/HAvira URL Cloud: Label: malware
          Source: http://54.244.188.177/xAvira URL Cloud: Label: malware
          Source: http://54.244.188.177:80/sqhuoucbvpfptwsAvira URL Cloud: Label: malware
          Antivirus detection for dropped file
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\AppVClient.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\FXSSVC.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\alg.exeAvira: detection malicious, Label: W32/Infector.Gen
          Multi AV Scanner detection for submitted file
          Source: BzK8rQh2O3.exeVirustotal: Detection: 75%Perma Link
          Source: BzK8rQh2O3.exeReversingLabs: Detection: 86%
          Yara detected FormBook
          Source: Yara matchFile source: 10.2.svchost.exe.2d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.svchost.exe.2d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.2005006372.0000000002D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2003602986.00000000002D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
          Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\AppVClient.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\FXSSVC.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\alg.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: BzK8rQh2O3.exeJoe Sandbox ML: detected
          Source: BzK8rQh2O3.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: BzK8rQh2O3.exe, 00000000.00000003.1709037874.0000000004000000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: BzK8rQh2O3.exe, 00000000.00000003.1742039738.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
          Source: Binary string: ALG.pdbGCTL source: BzK8rQh2O3.exe, 00000000.00000003.1713887280.0000000004000000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
          Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: BzK8rQh2O3.exe, 00000000.00000003.1763734434.0000000004250000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: BzK8rQh2O3.exe, 00000000.00000003.1742039738.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: PresentationFontCache.pdb source: BzK8rQh2O3.exe, 00000000.00000003.1763734434.0000000004250000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: FXSSVC.pdbGCTL source: FXSSVC.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: BzK8rQh2O3.exe, 00000000.00000003.1765571034.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1764711070.0000000005060000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2005075194.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1943955685.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1941382138.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: BzK8rQh2O3.exe, 00000000.00000003.1765571034.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1764711070.0000000005060000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000000A.00000002.2005075194.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1943955685.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1941382138.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe.0.dr
          Source: Binary string: FXSSVC.pdb source: FXSSVC.exe.0.dr
          Source: Binary string: ALG.pdb source: BzK8rQh2O3.exe, 00000000.00000003.1713887280.0000000004000000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr

          Spreading

          barindex
          Infects executable files (exe, dll, sys, html)
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to behavior

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:65109 -> 1.1.1.1:53
          Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49730 -> 54.244.188.177:80
          Source: Network trafficSuricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:53349 -> 1.1.1.1:53
          Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49830 -> 54.244.188.177:80
          Source: Network trafficSuricata IDS: 2051651 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (eufxebus .biz) : 192.168.2.4:57618 -> 1.1.1.1:53
          Source: Joe Sandbox ViewIP Address: 54.244.188.177 54.244.188.177
          Source: Joe Sandbox ViewIP Address: 18.141.10.107 18.141.10.107
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.4:49736
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.4:49736
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.4:49755
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.4:49755
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.4:49730
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.4:49730
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.227.7.138:80 -> 192.168.2.4:49760
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.227.7.138:80 -> 192.168.2.4:49760
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.94.10.34:80 -> 192.168.2.4:49800
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.94.10.34:80 -> 192.168.2.4:49800
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 35.164.78.200:80 -> 192.168.2.4:49791
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 35.164.78.200:80 -> 192.168.2.4:49791
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.246.231.120:80 -> 192.168.2.4:49825
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.246.231.120:80 -> 192.168.2.4:49825
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.4:49764
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.4:49764
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.246.200.160:80 -> 192.168.2.4:49759
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.246.200.160:80 -> 192.168.2.4:49759
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.4:49915
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.4:49915
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.254.94.185:80 -> 192.168.2.4:49961
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.254.94.185:80 -> 192.168.2.4:49961
          Source: global trafficHTTP traffic detected: POST /sqhuoucbvpfptw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 800
          Source: global trafficHTTP traffic detected: POST /ahu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 800
          Source: global trafficHTTP traffic detected: POST /nxbrnchslf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /flkkbmligcvmrctj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 800
          Source: global trafficHTTP traffic detected: POST /ggjlw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /dufkpol HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /a HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /mygkicdwtcska HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /eicnkswtpuoihir HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /jhjqfhvnwcnnm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /jetrwdoymgqweqlr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /hnk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /wxwlgro HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /cvgvkeodaeo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /wdqbfpac HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /tebnqgy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /lglaocayhhpbni HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /bjgvdeudf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: eufxebus.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
          Source: global trafficDNS traffic detected: DNS query: ssbzmoy.biz
          Source: global trafficDNS traffic detected: DNS query: cvgrf.biz
          Source: global trafficDNS traffic detected: DNS query: pwlqfu.biz
          Source: unknownHTTP traffic detected: POST /sqhuoucbvpfptw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 800
          Source: BzK8rQh2O3.exe, 00000000.00000003.1758322463.0000000000B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/
          Source: BzK8rQh2O3.exe, 00000000.00000003.1758322463.0000000000B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/ahu
          Source: BzK8rQh2O3.exe, 00000000.00000003.1758322463.0000000000B6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/ahuM-
          Source: BzK8rQh2O3.exe, 00000000.00000003.1757872961.0000000000BF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107:80/ahu
          Source: BzK8rQh2O3.exe, 00000000.00000003.1743530984.0000000000B62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/H
          Source: BzK8rQh2O3.exe, 00000000.00000003.1733011212.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736030447.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1757872961.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1743530984.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1743990008.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1734456516.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1734887127.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736030447.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1757872961.0000000000B84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/sqhuoucbvpfptw
          Source: BzK8rQh2O3.exe, 00000000.00000003.1733011212.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736030447.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1757872961.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1743530984.0000000000C77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/sqhuoucbvpfptwW
          Source: BzK8rQh2O3.exe, 00000000.00000003.1733197857.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1744833710.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1734822770.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1744568591.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1745163536.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1737280802.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1746579812.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736599685.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1737178163.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1735908567.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736723081.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1758121231.0000000000DD4000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1733503393.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1745592328.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1745421290.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736845295.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1744676010.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1733825138.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1743165787.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736468723.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1737068539.0000000000D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/x
          Source: BzK8rQh2O3.exe, 00000000.00000003.1757872961.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1743990008.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736030447.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1734887127.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1734456516.0000000000C00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177:80/sqhuoucbvpfptws
          Source: AppVClient.exe, 00000006.00000003.1740542601.0000000000575000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000006.00000003.1740328267.0000000000566000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000006.00000003.1739746989.0000000000510000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000006.00000002.1757094761.0000000000575000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000006.00000003.1740108258.0000000000517000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.micrXXG

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 10.2.svchost.exe.2d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.svchost.exe.2d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.2005006372.0000000002D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2003602986.00000000002D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: BzK8rQh2O3.exe, 00000000.00000000.1703265931.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_bb8862a3-2
          Source: BzK8rQh2O3.exe, 00000000.00000000.1703265931.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_82890010-8
          Source: BzK8rQh2O3.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_086e9bc4-1
          Source: BzK8rQh2O3.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_9d70c588-5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002FCA93 NtClose,10_2_002FCA93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F735C0 NtCreateMutant,LdrInitializeThunk,10_2_02F735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72B60 NtClose,LdrInitializeThunk,10_2_02F72B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_02F72DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F74340 NtSetContextThread,10_2_02F74340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F73090 NtSetValueKey,10_2_02F73090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F73010 NtOpenDirectoryObject,10_2_02F73010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F74650 NtSuspendThread,10_2_02F74650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72AF0 NtWriteFile,10_2_02F72AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72AD0 NtReadFile,10_2_02F72AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72AB0 NtWaitForSingleObject,10_2_02F72AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72BF0 NtAllocateVirtualMemory,10_2_02F72BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72BE0 NtQueryValueKey,10_2_02F72BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72BA0 NtEnumerateValueKey,10_2_02F72BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72B80 NtQueryInformationFile,10_2_02F72B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F739B0 NtGetContextThread,10_2_02F739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72EE0 NtQueueApcThread,10_2_02F72EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72EA0 NtAdjustPrivilegesToken,10_2_02F72EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72E80 NtReadVirtualMemory,10_2_02F72E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72E30 NtWriteVirtualMemory,10_2_02F72E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72FE0 NtCreateFile,10_2_02F72FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72FB0 NtResumeThread,10_2_02F72FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72FA0 NtQuerySection,10_2_02F72FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72F90 NtProtectVirtualMemory,10_2_02F72F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72F60 NtCreateProcessEx,10_2_02F72F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72F30 NtCreateSection,10_2_02F72F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72CF0 NtOpenProcess,10_2_02F72CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72CC0 NtQueryVirtualMemory,10_2_02F72CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72CA0 NtQueryInformationToken,10_2_02F72CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72C70 NtFreeVirtualMemory,10_2_02F72C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72C60 NtCreateKey,10_2_02F72C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72C00 NtQueryInformationProcess,10_2_02F72C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72DD0 NtDelayExecution,10_2_02F72DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72DB0 NtEnumerateKey,10_2_02F72DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F73D70 NtOpenThread,10_2_02F73D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72D30 NtUnmapViewOfSection,10_2_02F72D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72D10 NtMapViewOfSection,10_2_02F72D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F73D10 NtOpenProcessToken,10_2_02F73D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72D00 NtSetInformationFile,10_2_02F72D00
          Source: C:\Windows\System32\AppVClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\8227aa636967b89b.binJump to behavior
          Source: C:\Windows\System32\AppVClient.exeCode function: 6_2_0076A8106_2_0076A810
          Source: C:\Windows\System32\AppVClient.exeCode function: 6_2_00747C006_2_00747C00
          Source: C:\Windows\System32\AppVClient.exeCode function: 6_2_00772D406_2_00772D40
          Source: C:\Windows\System32\AppVClient.exeCode function: 6_2_007479F06_2_007479F0
          Source: C:\Windows\System32\AppVClient.exeCode function: 6_2_0076EEB06_2_0076EEB0
          Source: C:\Windows\System32\AppVClient.exeCode function: 6_2_007692A06_2_007692A0
          Source: C:\Windows\System32\AppVClient.exeCode function: 6_2_007693B06_2_007693B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002D1ACB10_2_002D1ACB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002FF0B310_2_002FF0B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002E01D310_2_002E01D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002D2A9010_2_002D2A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002D32F010_2_002D32F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002E6B8E10_2_002E6B8E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002E6B9310_2_002E6B93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002E03F310_2_002E03F3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002DE3D310_2_002DE3D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002D1C3A10_2_002D1C3A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002D1C4010_2_002D1C40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002DE52310_2_002DE523
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002DE51C10_2_002DE51C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002D2E4910_2_002D2E49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002D2E5010_2_002D2E50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002D272010_2_002D2720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002D2F1910_2_002D2F19
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE12ED10_2_02FE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5B2C010_2_02F5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F452A010_2_02F452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE027410_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_030003E610_2_030003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4E3F010_2_02F4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F8739A10_2_02F8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FFA35210_2_02FFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2D34C10_2_02F2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF132D10_2_02FF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF70E910_2_02FF70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FFF0E010_2_02FFF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FEF0CC10_2_02FEF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C010_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0300B16B10_2_0300B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_030001AA10_2_030001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF81CC10_2_02FF81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4B1B010_2_02F4B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F17210_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F7516C10_2_02F7516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FDA11810_2_02FDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3010010_2_02F30100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5C6E010_2_02F5C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF16CC10_2_02FF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3C7C010_2_02F3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FFF7B010_2_02FFF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4077010_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6475010_2_02F64750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FEE4F610_2_02FEE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0300059110_2_03000591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3146010_2_02F31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF244610_2_02FF2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FFF43F10_2_02FFF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FDD5B010_2_02FDD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF757110_2_02FF7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4053510_2_02F40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FEDAC610_2_02FEDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FDDAAC10_2_02FDDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F85AA010_2_02F85AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3EA8010_2_02F3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB3A6C10_2_02FB3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FFFA4910_2_02FFFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF7A4610_2_02FF7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F7DBF910_2_02F7DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF6BD710_2_02FF6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5FB8010_2_02F5FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FFFB7610_2_02FFFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FFAB4010_2_02FFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6E8F010_2_02F6E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F438E010_2_02F438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F268B810_2_02F268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0300A9A610_2_0300A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4284010_2_02F42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4A84010_2_02F4A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FAD80010_2_02FAD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F429A010_2_02F429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5696210_2_02F56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4995010_2_02F49950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5B95010_2_02F5B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FFEEDB10_2_02FFEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F49EB010_2_02F49EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F52E9010_2_02F52E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FFCE9310_2_02FFCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F40E5910_2_02F40E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FFEE2610_2_02FFEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F32FC810_2_02F32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FFFFB110_2_02FFFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F41F9210_2_02F41F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB4F4010_2_02FB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F60F3010_2_02F60F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F82F2810_2_02F82F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FFFF0910_2_02FFFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F30CF210_2_02F30CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FFFCF210_2_02FFFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE0CB510_2_02FE0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB9C3210_2_02FB9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F40C0010_2_02F40C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3ADE010_2_02F3ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5FDC010_2_02F5FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F58DBF10_2_02F58DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF7D7310_2_02FF7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF1D5A10_2_02FF1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F43D4010_2_02F43D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4AD0010_2_02F4AD00
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_009BA81011_2_009BA810
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_00997C0011_2_00997C00
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_009979F011_2_009979F0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_009C2D4011_2_009C2D40
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_009BEEB011_2_009BEEB0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_009B92A011_2_009B92A0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_009B93B011_2_009B93B0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 12_2_022692A012_2_022692A0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 12_2_0226EEB012_2_0226EEB0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 12_2_022693B012_2_022693B0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 12_2_02247C0012_2_02247C00
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 12_2_0226A81012_2_0226A810
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 12_2_02272D4012_2_02272D40
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 12_2_022479F012_2_022479F0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Load DriverJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: SecurityJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F87E54 appears 87 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FAEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FBF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F75130 appears 36 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F2B970 appears 253 times
          Source: elevation_service.exe.0.drStatic PE information: Number of sections : 12 > 10
          Source: BzK8rQh2O3.exe, 00000000.00000003.1765571034.0000000004FE3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BzK8rQh2O3.exe
          Source: BzK8rQh2O3.exe, 00000000.00000003.1709109485.0000000004000000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearmsvc.exeN vs BzK8rQh2O3.exe
          Source: BzK8rQh2O3.exe, 00000000.00000003.1763982056.0000000004FE3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BzK8rQh2O3.exe
          Source: BzK8rQh2O3.exe, 00000000.00000003.1714010031.0000000004000000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameALG.exej% vs BzK8rQh2O3.exe
          Source: BzK8rQh2O3.exe, 00000000.00000003.1742812858.00000000041E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDiagnosticsHub.StandardCollector.Service.exeD vs BzK8rQh2O3.exe
          Source: BzK8rQh2O3.exe, 00000000.00000003.1764711070.000000000518D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BzK8rQh2O3.exe
          Source: unknownDriver loaded: C:\Windows\System32\drivers\AppVStrm.sys
          Source: BzK8rQh2O3.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: BzK8rQh2O3.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: DiagnosticsHub.StandardCollector.Service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: FXSSVC.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: elevation_service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: BzK8rQh2O3.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: DiagnosticsHub.StandardCollector.Service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: FXSSVC.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: elevation_service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@9/11@7/2
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.logJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile created: C:\Users\user\AppData\Roaming\8227aa636967b89b.binJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-8227aa636967b89b-inf
          Source: C:\Windows\System32\AppVClient.exeMutant created: \BaseNamedObjects\Global\Multiarch.m0yv-8227aa636967b89b9ea72c54-b
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-8227aa636967b89b7d8e3ee9-b
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile created: C:\Users\user\AppData\Local\Temp\aut9C87.tmpJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: BzK8rQh2O3.exeVirustotal: Detection: 75%
          Source: BzK8rQh2O3.exeReversingLabs: Detection: 86%
          Source: unknownProcess created: C:\Users\user\Desktop\BzK8rQh2O3.exe "C:\Users\user\Desktop\BzK8rQh2O3.exe"
          Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
          Source: unknownProcess created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
          Source: unknownProcess created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
          Source: unknownProcess created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BzK8rQh2O3.exe"
          Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
          Source: unknownProcess created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BzK8rQh2O3.exe"Jump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\alg.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\alg.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\alg.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: appvpolicy.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: logoncli.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: appmanagementconfiguration.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: tapi32.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: credui.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxstiff.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxsresm.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: ualapi.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: version.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52BC3999-6E52-4E8A-87C4-0A2A0CC359B1}\InProcServer32Jump to behavior
          Source: BzK8rQh2O3.exeStatic file information: File size 1801216 > 1048576
          Source: BzK8rQh2O3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: BzK8rQh2O3.exe, 00000000.00000003.1709037874.0000000004000000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: BzK8rQh2O3.exe, 00000000.00000003.1742039738.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
          Source: Binary string: ALG.pdbGCTL source: BzK8rQh2O3.exe, 00000000.00000003.1713887280.0000000004000000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
          Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: BzK8rQh2O3.exe, 00000000.00000003.1763734434.0000000004250000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: BzK8rQh2O3.exe, 00000000.00000003.1742039738.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: PresentationFontCache.pdb source: BzK8rQh2O3.exe, 00000000.00000003.1763734434.0000000004250000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: FXSSVC.pdbGCTL source: FXSSVC.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: BzK8rQh2O3.exe, 00000000.00000003.1765571034.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1764711070.0000000005060000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2005075194.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1943955685.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1941382138.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: BzK8rQh2O3.exe, 00000000.00000003.1765571034.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1764711070.0000000005060000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000000A.00000002.2005075194.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1943955685.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1941382138.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe.0.dr
          Source: Binary string: FXSSVC.pdb source: FXSSVC.exe.0.dr
          Source: Binary string: ALG.pdb source: BzK8rQh2O3.exe, 00000000.00000003.1713887280.0000000004000000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: alg.exe.0.drStatic PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]
          Source: armsvc.exe.0.drStatic PE information: section name: .didat
          Source: alg.exe.0.drStatic PE information: section name: .didat
          Source: FXSSVC.exe.0.drStatic PE information: section name: .didat
          Source: elevation_service.exe.0.drStatic PE information: section name: .00cfg
          Source: elevation_service.exe.0.drStatic PE information: section name: .gxfg
          Source: elevation_service.exe.0.drStatic PE information: section name: .retplne
          Source: elevation_service.exe.0.drStatic PE information: section name: _RDATA
          Source: elevation_service.exe.0.drStatic PE information: section name: malloc_h
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002D2055 push edx; iretd 10_2_002D2056
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002D18A1 push edx; iretd 10_2_002D18A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002EF9B8 push 13D671DEh; iretd 10_2_002EF9BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002DD9B6 push FFFFFFEBh; iretd 10_2_002DD9BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002D218B push ebp; iretd 10_2_002D2192
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002EAA30 push edx; retf 10_2_002EAA31
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002F4281 push ds; retf 10_2_002F4287
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002E92F1 push edx; ret 10_2_002E92F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002F5433 push edi; ret 10_2_002F5483
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002D3570 push eax; ret 10_2_002D3572
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002F3D54 push 00000063h; retf 10_2_002F3D83
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002E4E8B pushfd ; iretd 10_2_002E4E91
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002DD7CA push ecx; ret 10_2_002DD7CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002DA7C3 push edi; ret 10_2_002DA7F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F309AD push ecx; mov dword ptr [esp], ecx10_2_02F309B6
          Source: BzK8rQh2O3.exeStatic PE information: section name: .reloc entropy: 7.938057904352507
          Source: AppVClient.exe.0.drStatic PE information: section name: .reloc entropy: 7.943025276952371
          Source: FXSSVC.exe.0.drStatic PE information: section name: .reloc entropy: 7.949291863502323
          Source: elevation_service.exe.0.drStatic PE information: section name: .reloc entropy: 7.950794764933596

          Persistence and Installation Behavior

          barindex
          Creates files in the system32 config directory
          Source: C:\Windows\System32\AppVClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\8227aa636967b89b.binJump to behavior
          Drops executable to a common third party application directory
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Infects executable files (exe, dll, sys, html)
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to dropped file
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Contains functionality to behave differently if execute on a Russian/Kazak computer
          Source: C:\Windows\System32\AppVClient.exeCode function: 6_2_007452A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 6_2_007452A0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_009952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 11_2_009952A0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 12_2_022452A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 12_2_022452A0
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeAPI/Special instruction interceptor: Address: D92074
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FAD1C0 rdtsc 10_2_02FAD1C0
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeDropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to dropped file
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_11-5783
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_12-5485
          Source: C:\Windows\System32\AppVClient.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_6-5679
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exe TID: 3632Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 7164Thread sleep time: -30000s >= -30000sJump to behavior
          Source: BzK8rQh2O3.exe, 00000000.00000003.1744833710.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1744568591.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1745163536.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1737280802.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1746579812.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736599685.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1737178163.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736030447.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1735908567.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736723081.0000000000D8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: AppVClient.exe, 00000006.00000003.1740442360.000000000052E000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000006.00000003.1739746989.0000000000510000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000006.00000002.1751871474.0000000000536000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000006.00000003.1740108258.0000000000517000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine
          Source: BzK8rQh2O3.exe, 00000000.00000003.1716210903.0000000000C77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe
          Source: BzK8rQh2O3.exe, 00000000.00000003.1730534041.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1722247811.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1717509564.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1733011212.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1733571311.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1723674985.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1721812637.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1729439667.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1734456516.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1733872422.0000000000BF2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FAD1C0 rdtsc 10_2_02FAD1C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_002E7B23 LdrLoadDll,10_2_002E7B23
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FEF2F8 mov eax, dword ptr fs:[00000030h]10_2_02FEF2F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F292FF mov eax, dword ptr fs:[00000030h]10_2_02F292FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE12ED mov eax, dword ptr fs:[00000030h]10_2_02FE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE12ED mov eax, dword ptr fs:[00000030h]10_2_02FE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE12ED mov eax, dword ptr fs:[00000030h]10_2_02FE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE12ED mov eax, dword ptr fs:[00000030h]10_2_02FE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE12ED mov eax, dword ptr fs:[00000030h]10_2_02FE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE12ED mov eax, dword ptr fs:[00000030h]10_2_02FE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE12ED mov eax, dword ptr fs:[00000030h]10_2_02FE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE12ED mov eax, dword ptr fs:[00000030h]10_2_02FE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE12ED mov eax, dword ptr fs:[00000030h]10_2_02FE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE12ED mov eax, dword ptr fs:[00000030h]10_2_02FE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE12ED mov eax, dword ptr fs:[00000030h]10_2_02FE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE12ED mov eax, dword ptr fs:[00000030h]10_2_02FE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE12ED mov eax, dword ptr fs:[00000030h]10_2_02FE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE12ED mov eax, dword ptr fs:[00000030h]10_2_02FE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F402E1 mov eax, dword ptr fs:[00000030h]10_2_02F402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F402E1 mov eax, dword ptr fs:[00000030h]10_2_02F402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F402E1 mov eax, dword ptr fs:[00000030h]10_2_02F402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2B2D3 mov eax, dword ptr fs:[00000030h]10_2_02F2B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2B2D3 mov eax, dword ptr fs:[00000030h]10_2_02F2B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2B2D3 mov eax, dword ptr fs:[00000030h]10_2_02F2B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5F2D0 mov eax, dword ptr fs:[00000030h]10_2_02F5F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5F2D0 mov eax, dword ptr fs:[00000030h]10_2_02F5F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]10_2_02F3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]10_2_02F3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]10_2_02F3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]10_2_02F3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]10_2_02F3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5B2C0 mov eax, dword ptr fs:[00000030h]10_2_02F5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5B2C0 mov eax, dword ptr fs:[00000030h]10_2_02F5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5B2C0 mov eax, dword ptr fs:[00000030h]10_2_02F5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5B2C0 mov eax, dword ptr fs:[00000030h]10_2_02F5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5B2C0 mov eax, dword ptr fs:[00000030h]10_2_02F5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5B2C0 mov eax, dword ptr fs:[00000030h]10_2_02F5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5B2C0 mov eax, dword ptr fs:[00000030h]10_2_02F5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F392C5 mov eax, dword ptr fs:[00000030h]10_2_02F392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F392C5 mov eax, dword ptr fs:[00000030h]10_2_02F392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03005341 mov eax, dword ptr fs:[00000030h]10_2_03005341
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB92BC mov eax, dword ptr fs:[00000030h]10_2_02FB92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB92BC mov eax, dword ptr fs:[00000030h]10_2_02FB92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB92BC mov ecx, dword ptr fs:[00000030h]10_2_02FB92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB92BC mov ecx, dword ptr fs:[00000030h]10_2_02FB92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F402A0 mov eax, dword ptr fs:[00000030h]10_2_02F402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F402A0 mov eax, dword ptr fs:[00000030h]10_2_02F402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F452A0 mov eax, dword ptr fs:[00000030h]10_2_02F452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F452A0 mov eax, dword ptr fs:[00000030h]10_2_02F452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F452A0 mov eax, dword ptr fs:[00000030h]10_2_02F452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F452A0 mov eax, dword ptr fs:[00000030h]10_2_02F452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF92A6 mov eax, dword ptr fs:[00000030h]10_2_02FF92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF92A6 mov eax, dword ptr fs:[00000030h]10_2_02FF92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF92A6 mov eax, dword ptr fs:[00000030h]10_2_02FF92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF92A6 mov eax, dword ptr fs:[00000030h]10_2_02FF92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC62A0 mov eax, dword ptr fs:[00000030h]10_2_02FC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC62A0 mov ecx, dword ptr fs:[00000030h]10_2_02FC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC62A0 mov eax, dword ptr fs:[00000030h]10_2_02FC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC62A0 mov eax, dword ptr fs:[00000030h]10_2_02FC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC62A0 mov eax, dword ptr fs:[00000030h]10_2_02FC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC62A0 mov eax, dword ptr fs:[00000030h]10_2_02FC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC72A0 mov eax, dword ptr fs:[00000030h]10_2_02FC72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC72A0 mov eax, dword ptr fs:[00000030h]10_2_02FC72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6329E mov eax, dword ptr fs:[00000030h]10_2_02F6329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6329E mov eax, dword ptr fs:[00000030h]10_2_02F6329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6E284 mov eax, dword ptr fs:[00000030h]10_2_02F6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6E284 mov eax, dword ptr fs:[00000030h]10_2_02F6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB0283 mov eax, dword ptr fs:[00000030h]10_2_02FB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB0283 mov eax, dword ptr fs:[00000030h]10_2_02FB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB0283 mov eax, dword ptr fs:[00000030h]10_2_02FB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F59274 mov eax, dword ptr fs:[00000030h]10_2_02F59274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F71270 mov eax, dword ptr fs:[00000030h]10_2_02F71270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F71270 mov eax, dword ptr fs:[00000030h]10_2_02F71270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE0274 mov eax, dword ptr fs:[00000030h]10_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE0274 mov eax, dword ptr fs:[00000030h]10_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE0274 mov eax, dword ptr fs:[00000030h]10_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE0274 mov eax, dword ptr fs:[00000030h]10_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE0274 mov eax, dword ptr fs:[00000030h]10_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE0274 mov eax, dword ptr fs:[00000030h]10_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE0274 mov eax, dword ptr fs:[00000030h]10_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE0274 mov eax, dword ptr fs:[00000030h]10_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE0274 mov eax, dword ptr fs:[00000030h]10_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE0274 mov eax, dword ptr fs:[00000030h]10_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE0274 mov eax, dword ptr fs:[00000030h]10_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE0274 mov eax, dword ptr fs:[00000030h]10_2_02FE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F34260 mov eax, dword ptr fs:[00000030h]10_2_02F34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F34260 mov eax, dword ptr fs:[00000030h]10_2_02F34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F34260 mov eax, dword ptr fs:[00000030h]10_2_02F34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FFD26B mov eax, dword ptr fs:[00000030h]10_2_02FFD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FFD26B mov eax, dword ptr fs:[00000030h]10_2_02FFD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2826B mov eax, dword ptr fs:[00000030h]10_2_02F2826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0300539D mov eax, dword ptr fs:[00000030h]10_2_0300539D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2A250 mov eax, dword ptr fs:[00000030h]10_2_02F2A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FEB256 mov eax, dword ptr fs:[00000030h]10_2_02FEB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FEB256 mov eax, dword ptr fs:[00000030h]10_2_02FEB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F36259 mov eax, dword ptr fs:[00000030h]10_2_02F36259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F29240 mov eax, dword ptr fs:[00000030h]10_2_02F29240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F29240 mov eax, dword ptr fs:[00000030h]10_2_02F29240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6724D mov eax, dword ptr fs:[00000030h]10_2_02F6724D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2823B mov eax, dword ptr fs:[00000030h]10_2_02F2823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_030053FC mov eax, dword ptr fs:[00000030h]10_2_030053FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F67208 mov eax, dword ptr fs:[00000030h]10_2_02F67208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F67208 mov eax, dword ptr fs:[00000030h]10_2_02F67208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]10_2_02F4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]10_2_02F4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]10_2_02F4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F663FF mov eax, dword ptr fs:[00000030h]10_2_02F663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FEF3E6 mov eax, dword ptr fs:[00000030h]10_2_02FEF3E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F403E9 mov eax, dword ptr fs:[00000030h]10_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F403E9 mov eax, dword ptr fs:[00000030h]10_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F403E9 mov eax, dword ptr fs:[00000030h]10_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F403E9 mov eax, dword ptr fs:[00000030h]10_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F403E9 mov eax, dword ptr fs:[00000030h]10_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F403E9 mov eax, dword ptr fs:[00000030h]10_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F403E9 mov eax, dword ptr fs:[00000030h]10_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F403E9 mov eax, dword ptr fs:[00000030h]10_2_02F403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03005227 mov eax, dword ptr fs:[00000030h]10_2_03005227
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FEB3D0 mov ecx, dword ptr fs:[00000030h]10_2_02FEB3D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FEC3CD mov eax, dword ptr fs:[00000030h]10_2_02FEC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]10_2_02F3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]10_2_02F3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]10_2_02F3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]10_2_02F3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]10_2_02F3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]10_2_02F3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F383C0 mov eax, dword ptr fs:[00000030h]10_2_02F383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F383C0 mov eax, dword ptr fs:[00000030h]10_2_02F383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F383C0 mov eax, dword ptr fs:[00000030h]10_2_02F383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F383C0 mov eax, dword ptr fs:[00000030h]10_2_02F383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F533A5 mov eax, dword ptr fs:[00000030h]10_2_02F533A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F633A0 mov eax, dword ptr fs:[00000030h]10_2_02F633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F633A0 mov eax, dword ptr fs:[00000030h]10_2_02F633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F8739A mov eax, dword ptr fs:[00000030h]10_2_02F8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F8739A mov eax, dword ptr fs:[00000030h]10_2_02F8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F28397 mov eax, dword ptr fs:[00000030h]10_2_02F28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F28397 mov eax, dword ptr fs:[00000030h]10_2_02F28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F28397 mov eax, dword ptr fs:[00000030h]10_2_02F28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2E388 mov eax, dword ptr fs:[00000030h]10_2_02F2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2E388 mov eax, dword ptr fs:[00000030h]10_2_02F2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2E388 mov eax, dword ptr fs:[00000030h]10_2_02F2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5438F mov eax, dword ptr fs:[00000030h]10_2_02F5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5438F mov eax, dword ptr fs:[00000030h]10_2_02F5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FD437C mov eax, dword ptr fs:[00000030h]10_2_02FD437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03005283 mov eax, dword ptr fs:[00000030h]10_2_03005283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F37370 mov eax, dword ptr fs:[00000030h]10_2_02F37370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F37370 mov eax, dword ptr fs:[00000030h]10_2_02F37370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F37370 mov eax, dword ptr fs:[00000030h]10_2_02F37370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FEF367 mov eax, dword ptr fs:[00000030h]10_2_02FEF367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F29353 mov eax, dword ptr fs:[00000030h]10_2_02F29353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F29353 mov eax, dword ptr fs:[00000030h]10_2_02F29353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB035C mov eax, dword ptr fs:[00000030h]10_2_02FB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB035C mov eax, dword ptr fs:[00000030h]10_2_02FB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB035C mov eax, dword ptr fs:[00000030h]10_2_02FB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB035C mov ecx, dword ptr fs:[00000030h]10_2_02FB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB035C mov eax, dword ptr fs:[00000030h]10_2_02FB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB035C mov eax, dword ptr fs:[00000030h]10_2_02FB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FFA352 mov eax, dword ptr fs:[00000030h]10_2_02FFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB2349 mov eax, dword ptr fs:[00000030h]10_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB2349 mov eax, dword ptr fs:[00000030h]10_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB2349 mov eax, dword ptr fs:[00000030h]10_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB2349 mov eax, dword ptr fs:[00000030h]10_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB2349 mov eax, dword ptr fs:[00000030h]10_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB2349 mov eax, dword ptr fs:[00000030h]10_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB2349 mov eax, dword ptr fs:[00000030h]10_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB2349 mov eax, dword ptr fs:[00000030h]10_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB2349 mov eax, dword ptr fs:[00000030h]10_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB2349 mov eax, dword ptr fs:[00000030h]10_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB2349 mov eax, dword ptr fs:[00000030h]10_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB2349 mov eax, dword ptr fs:[00000030h]10_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB2349 mov eax, dword ptr fs:[00000030h]10_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB2349 mov eax, dword ptr fs:[00000030h]10_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB2349 mov eax, dword ptr fs:[00000030h]10_2_02FB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2D34C mov eax, dword ptr fs:[00000030h]10_2_02F2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2D34C mov eax, dword ptr fs:[00000030h]10_2_02F2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F27330 mov eax, dword ptr fs:[00000030h]10_2_02F27330
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF132D mov eax, dword ptr fs:[00000030h]10_2_02FF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF132D mov eax, dword ptr fs:[00000030h]10_2_02FF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5F32A mov eax, dword ptr fs:[00000030h]10_2_02F5F32A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2C310 mov ecx, dword ptr fs:[00000030h]10_2_02F2C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_030052E2 mov eax, dword ptr fs:[00000030h]10_2_030052E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F50310 mov ecx, dword ptr fs:[00000030h]10_2_02F50310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB930B mov eax, dword ptr fs:[00000030h]10_2_02FB930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB930B mov eax, dword ptr fs:[00000030h]10_2_02FB930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB930B mov eax, dword ptr fs:[00000030h]10_2_02FB930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6A30B mov eax, dword ptr fs:[00000030h]10_2_02F6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6A30B mov eax, dword ptr fs:[00000030h]10_2_02F6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6A30B mov eax, dword ptr fs:[00000030h]10_2_02F6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2C0F0 mov eax, dword ptr fs:[00000030h]10_2_02F2C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F720F0 mov ecx, dword ptr fs:[00000030h]10_2_02F720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F550E4 mov eax, dword ptr fs:[00000030h]10_2_02F550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F550E4 mov ecx, dword ptr fs:[00000030h]10_2_02F550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2A0E3 mov ecx, dword ptr fs:[00000030h]10_2_02F2A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F380E9 mov eax, dword ptr fs:[00000030h]10_2_02F380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB20DE mov eax, dword ptr fs:[00000030h]10_2_02FB20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F590DB mov eax, dword ptr fs:[00000030h]10_2_02F590DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C0 mov eax, dword ptr fs:[00000030h]10_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C0 mov ecx, dword ptr fs:[00000030h]10_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C0 mov ecx, dword ptr fs:[00000030h]10_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C0 mov eax, dword ptr fs:[00000030h]10_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C0 mov ecx, dword ptr fs:[00000030h]10_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C0 mov ecx, dword ptr fs:[00000030h]10_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C0 mov eax, dword ptr fs:[00000030h]10_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C0 mov eax, dword ptr fs:[00000030h]10_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C0 mov eax, dword ptr fs:[00000030h]10_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C0 mov eax, dword ptr fs:[00000030h]10_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C0 mov eax, dword ptr fs:[00000030h]10_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C0 mov eax, dword ptr fs:[00000030h]10_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C0 mov eax, dword ptr fs:[00000030h]10_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C0 mov eax, dword ptr fs:[00000030h]10_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C0 mov eax, dword ptr fs:[00000030h]10_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C0 mov eax, dword ptr fs:[00000030h]10_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C0 mov eax, dword ptr fs:[00000030h]10_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F470C0 mov eax, dword ptr fs:[00000030h]10_2_02F470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FAD0C0 mov eax, dword ptr fs:[00000030h]10_2_02FAD0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FAD0C0 mov eax, dword ptr fs:[00000030h]10_2_02FAD0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF60B8 mov eax, dword ptr fs:[00000030h]10_2_02FF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF60B8 mov ecx, dword ptr fs:[00000030h]10_2_02FF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03005152 mov eax, dword ptr fs:[00000030h]10_2_03005152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F35096 mov eax, dword ptr fs:[00000030h]10_2_02F35096
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5D090 mov eax, dword ptr fs:[00000030h]10_2_02F5D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5D090 mov eax, dword ptr fs:[00000030h]10_2_02F5D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6909C mov eax, dword ptr fs:[00000030h]10_2_02F6909C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3208A mov eax, dword ptr fs:[00000030h]10_2_02F3208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2D08D mov eax, dword ptr fs:[00000030h]10_2_02F2D08D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F41070 mov eax, dword ptr fs:[00000030h]10_2_02F41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F41070 mov ecx, dword ptr fs:[00000030h]10_2_02F41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F41070 mov eax, dword ptr fs:[00000030h]10_2_02F41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F41070 mov eax, dword ptr fs:[00000030h]10_2_02F41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F41070 mov eax, dword ptr fs:[00000030h]10_2_02F41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F41070 mov eax, dword ptr fs:[00000030h]10_2_02F41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F41070 mov eax, dword ptr fs:[00000030h]10_2_02F41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F41070 mov eax, dword ptr fs:[00000030h]10_2_02F41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F41070 mov eax, dword ptr fs:[00000030h]10_2_02F41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F41070 mov eax, dword ptr fs:[00000030h]10_2_02F41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F41070 mov eax, dword ptr fs:[00000030h]10_2_02F41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F41070 mov eax, dword ptr fs:[00000030h]10_2_02F41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F41070 mov eax, dword ptr fs:[00000030h]10_2_02F41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5C073 mov eax, dword ptr fs:[00000030h]10_2_02F5C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FAD070 mov ecx, dword ptr fs:[00000030h]10_2_02FAD070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB106E mov eax, dword ptr fs:[00000030h]10_2_02FB106E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F32050 mov eax, dword ptr fs:[00000030h]10_2_02F32050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FD705E mov ebx, dword ptr fs:[00000030h]10_2_02FD705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FD705E mov eax, dword ptr fs:[00000030h]10_2_02FD705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5B052 mov eax, dword ptr fs:[00000030h]10_2_02F5B052
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF903E mov eax, dword ptr fs:[00000030h]10_2_02FF903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF903E mov eax, dword ptr fs:[00000030h]10_2_02FF903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF903E mov eax, dword ptr fs:[00000030h]10_2_02FF903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF903E mov eax, dword ptr fs:[00000030h]10_2_02FF903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_030051CB mov eax, dword ptr fs:[00000030h]10_2_030051CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2A020 mov eax, dword ptr fs:[00000030h]10_2_02F2A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2C020 mov eax, dword ptr fs:[00000030h]10_2_02F2C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4E016 mov eax, dword ptr fs:[00000030h]10_2_02F4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4E016 mov eax, dword ptr fs:[00000030h]10_2_02F4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4E016 mov eax, dword ptr fs:[00000030h]10_2_02F4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4E016 mov eax, dword ptr fs:[00000030h]10_2_02F4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_030061E5 mov eax, dword ptr fs:[00000030h]10_2_030061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB4000 mov ecx, dword ptr fs:[00000030h]10_2_02FB4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F601F8 mov eax, dword ptr fs:[00000030h]10_2_02F601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F551EF mov eax, dword ptr fs:[00000030h]10_2_02F551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F551EF mov eax, dword ptr fs:[00000030h]10_2_02F551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F551EF mov eax, dword ptr fs:[00000030h]10_2_02F551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F551EF mov eax, dword ptr fs:[00000030h]10_2_02F551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F551EF mov eax, dword ptr fs:[00000030h]10_2_02F551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F551EF mov eax, dword ptr fs:[00000030h]10_2_02F551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F551EF mov eax, dword ptr fs:[00000030h]10_2_02F551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F551EF mov eax, dword ptr fs:[00000030h]10_2_02F551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F551EF mov eax, dword ptr fs:[00000030h]10_2_02F551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F551EF mov eax, dword ptr fs:[00000030h]10_2_02F551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F551EF mov eax, dword ptr fs:[00000030h]10_2_02F551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F551EF mov eax, dword ptr fs:[00000030h]10_2_02F551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F551EF mov eax, dword ptr fs:[00000030h]10_2_02F551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F351ED mov eax, dword ptr fs:[00000030h]10_2_02F351ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6D1D0 mov eax, dword ptr fs:[00000030h]10_2_02F6D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6D1D0 mov ecx, dword ptr fs:[00000030h]10_2_02F6D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]10_2_02FAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]10_2_02FAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FAE1D0 mov ecx, dword ptr fs:[00000030h]10_2_02FAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]10_2_02FAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]10_2_02FAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF61C3 mov eax, dword ptr fs:[00000030h]10_2_02FF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF61C3 mov eax, dword ptr fs:[00000030h]10_2_02FF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4B1B0 mov eax, dword ptr fs:[00000030h]10_2_02F4B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE11A4 mov eax, dword ptr fs:[00000030h]10_2_02FE11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE11A4 mov eax, dword ptr fs:[00000030h]10_2_02FE11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE11A4 mov eax, dword ptr fs:[00000030h]10_2_02FE11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FE11A4 mov eax, dword ptr fs:[00000030h]10_2_02FE11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03005060 mov eax, dword ptr fs:[00000030h]10_2_03005060
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB019F mov eax, dword ptr fs:[00000030h]10_2_02FB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB019F mov eax, dword ptr fs:[00000030h]10_2_02FB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB019F mov eax, dword ptr fs:[00000030h]10_2_02FB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB019F mov eax, dword ptr fs:[00000030h]10_2_02FB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2A197 mov eax, dword ptr fs:[00000030h]10_2_02F2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2A197 mov eax, dword ptr fs:[00000030h]10_2_02F2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2A197 mov eax, dword ptr fs:[00000030h]10_2_02F2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F87190 mov eax, dword ptr fs:[00000030h]10_2_02F87190
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F70185 mov eax, dword ptr fs:[00000030h]10_2_02F70185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FEC188 mov eax, dword ptr fs:[00000030h]10_2_02FEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FEC188 mov eax, dword ptr fs:[00000030h]10_2_02FEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F172 mov eax, dword ptr fs:[00000030h]10_2_02F2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC9179 mov eax, dword ptr fs:[00000030h]10_2_02FC9179
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F37152 mov eax, dword ptr fs:[00000030h]10_2_02F37152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2C156 mov eax, dword ptr fs:[00000030h]10_2_02F2C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F36154 mov eax, dword ptr fs:[00000030h]10_2_02F36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F36154 mov eax, dword ptr fs:[00000030h]10_2_02F36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC4144 mov eax, dword ptr fs:[00000030h]10_2_02FC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC4144 mov eax, dword ptr fs:[00000030h]10_2_02FC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC4144 mov ecx, dword ptr fs:[00000030h]10_2_02FC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC4144 mov eax, dword ptr fs:[00000030h]10_2_02FC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC4144 mov eax, dword ptr fs:[00000030h]10_2_02FC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F29148 mov eax, dword ptr fs:[00000030h]10_2_02F29148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F29148 mov eax, dword ptr fs:[00000030h]10_2_02F29148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F29148 mov eax, dword ptr fs:[00000030h]10_2_02F29148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F29148 mov eax, dword ptr fs:[00000030h]10_2_02F29148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F31131 mov eax, dword ptr fs:[00000030h]10_2_02F31131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F31131 mov eax, dword ptr fs:[00000030h]10_2_02F31131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2B136 mov eax, dword ptr fs:[00000030h]10_2_02F2B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2B136 mov eax, dword ptr fs:[00000030h]10_2_02F2B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2B136 mov eax, dword ptr fs:[00000030h]10_2_02F2B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2B136 mov eax, dword ptr fs:[00000030h]10_2_02F2B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F60124 mov eax, dword ptr fs:[00000030h]10_2_02F60124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_030050D9 mov eax, dword ptr fs:[00000030h]10_2_030050D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FDA118 mov ecx, dword ptr fs:[00000030h]10_2_02FDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FDA118 mov eax, dword ptr fs:[00000030h]10_2_02FDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FDA118 mov eax, dword ptr fs:[00000030h]10_2_02FDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FDA118 mov eax, dword ptr fs:[00000030h]10_2_02FDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF0115 mov eax, dword ptr fs:[00000030h]10_2_02FF0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]10_2_02FAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]10_2_02FAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]10_2_02FAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]10_2_02FAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB06F1 mov eax, dword ptr fs:[00000030h]10_2_02FB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB06F1 mov eax, dword ptr fs:[00000030h]10_2_02FB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FED6F0 mov eax, dword ptr fs:[00000030h]10_2_02FED6F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC36EE mov eax, dword ptr fs:[00000030h]10_2_02FC36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC36EE mov eax, dword ptr fs:[00000030h]10_2_02FC36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC36EE mov eax, dword ptr fs:[00000030h]10_2_02FC36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC36EE mov eax, dword ptr fs:[00000030h]10_2_02FC36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC36EE mov eax, dword ptr fs:[00000030h]10_2_02FC36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FC36EE mov eax, dword ptr fs:[00000030h]10_2_02FC36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5D6E0 mov eax, dword ptr fs:[00000030h]10_2_02F5D6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5D6E0 mov eax, dword ptr fs:[00000030h]10_2_02F5D6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6A6C7 mov ebx, dword ptr fs:[00000030h]10_2_02F6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6A6C7 mov eax, dword ptr fs:[00000030h]10_2_02F6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3B6C0 mov eax, dword ptr fs:[00000030h]10_2_02F3B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3B6C0 mov eax, dword ptr fs:[00000030h]10_2_02F3B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3B6C0 mov eax, dword ptr fs:[00000030h]10_2_02F3B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3B6C0 mov eax, dword ptr fs:[00000030h]10_2_02F3B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3B6C0 mov eax, dword ptr fs:[00000030h]10_2_02F3B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3B6C0 mov eax, dword ptr fs:[00000030h]10_2_02F3B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF16CC mov eax, dword ptr fs:[00000030h]10_2_02FF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF16CC mov eax, dword ptr fs:[00000030h]10_2_02FF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF16CC mov eax, dword ptr fs:[00000030h]10_2_02FF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF16CC mov eax, dword ptr fs:[00000030h]10_2_02FF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FEF6C7 mov eax, dword ptr fs:[00000030h]10_2_02FEF6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F616CF mov eax, dword ptr fs:[00000030h]10_2_02F616CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0300B73C mov eax, dword ptr fs:[00000030h]10_2_0300B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0300B73C mov eax, dword ptr fs:[00000030h]10_2_0300B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0300B73C mov eax, dword ptr fs:[00000030h]10_2_0300B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0300B73C mov eax, dword ptr fs:[00000030h]10_2_0300B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F276B2 mov eax, dword ptr fs:[00000030h]10_2_02F276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F276B2 mov eax, dword ptr fs:[00000030h]10_2_02F276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F276B2 mov eax, dword ptr fs:[00000030h]10_2_02F276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F666B0 mov eax, dword ptr fs:[00000030h]10_2_02F666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03003749 mov eax, dword ptr fs:[00000030h]10_2_03003749
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6C6A6 mov eax, dword ptr fs:[00000030h]10_2_02F6C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2D6AA mov eax, dword ptr fs:[00000030h]10_2_02F2D6AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2D6AA mov eax, dword ptr fs:[00000030h]10_2_02F2D6AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F34690 mov eax, dword ptr fs:[00000030h]10_2_02F34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F34690 mov eax, dword ptr fs:[00000030h]10_2_02F34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB368C mov eax, dword ptr fs:[00000030h]10_2_02FB368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB368C mov eax, dword ptr fs:[00000030h]10_2_02FB368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB368C mov eax, dword ptr fs:[00000030h]10_2_02FB368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB368C mov eax, dword ptr fs:[00000030h]10_2_02FB368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F62674 mov eax, dword ptr fs:[00000030h]10_2_02F62674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF866E mov eax, dword ptr fs:[00000030h]10_2_02FF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF866E mov eax, dword ptr fs:[00000030h]10_2_02FF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6A660 mov eax, dword ptr fs:[00000030h]10_2_02F6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6A660 mov eax, dword ptr fs:[00000030h]10_2_02F6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F69660 mov eax, dword ptr fs:[00000030h]10_2_02F69660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F69660 mov eax, dword ptr fs:[00000030h]10_2_02F69660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4C640 mov eax, dword ptr fs:[00000030h]10_2_02F4C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_030037B6 mov eax, dword ptr fs:[00000030h]10_2_030037B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4E627 mov eax, dword ptr fs:[00000030h]10_2_02F4E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F626 mov eax, dword ptr fs:[00000030h]10_2_02F2F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F626 mov eax, dword ptr fs:[00000030h]10_2_02F2F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F626 mov eax, dword ptr fs:[00000030h]10_2_02F2F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F626 mov eax, dword ptr fs:[00000030h]10_2_02F2F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F626 mov eax, dword ptr fs:[00000030h]10_2_02F2F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F626 mov eax, dword ptr fs:[00000030h]10_2_02F2F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F626 mov eax, dword ptr fs:[00000030h]10_2_02F2F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F626 mov eax, dword ptr fs:[00000030h]10_2_02F2F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F626 mov eax, dword ptr fs:[00000030h]10_2_02F2F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F66620 mov eax, dword ptr fs:[00000030h]10_2_02F66620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F68620 mov eax, dword ptr fs:[00000030h]10_2_02F68620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3262C mov eax, dword ptr fs:[00000030h]10_2_02F3262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F33616 mov eax, dword ptr fs:[00000030h]10_2_02F33616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F33616 mov eax, dword ptr fs:[00000030h]10_2_02F33616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72619 mov eax, dword ptr fs:[00000030h]10_2_02F72619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F61607 mov eax, dword ptr fs:[00000030h]10_2_02F61607
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FAE609 mov eax, dword ptr fs:[00000030h]10_2_02FAE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6F603 mov eax, dword ptr fs:[00000030h]10_2_02F6F603
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4260B mov eax, dword ptr fs:[00000030h]10_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4260B mov eax, dword ptr fs:[00000030h]10_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4260B mov eax, dword ptr fs:[00000030h]10_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4260B mov eax, dword ptr fs:[00000030h]10_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4260B mov eax, dword ptr fs:[00000030h]10_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4260B mov eax, dword ptr fs:[00000030h]10_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4260B mov eax, dword ptr fs:[00000030h]10_2_02F4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F347FB mov eax, dword ptr fs:[00000030h]10_2_02F347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F347FB mov eax, dword ptr fs:[00000030h]10_2_02F347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3D7E0 mov ecx, dword ptr fs:[00000030h]10_2_02F3D7E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F527ED mov eax, dword ptr fs:[00000030h]10_2_02F527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F527ED mov eax, dword ptr fs:[00000030h]10_2_02F527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F527ED mov eax, dword ptr fs:[00000030h]10_2_02F527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3C7C0 mov eax, dword ptr fs:[00000030h]10_2_02F3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F357C0 mov eax, dword ptr fs:[00000030h]10_2_02F357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F357C0 mov eax, dword ptr fs:[00000030h]10_2_02F357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F357C0 mov eax, dword ptr fs:[00000030h]10_2_02F357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03005636 mov eax, dword ptr fs:[00000030h]10_2_03005636
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB07C3 mov eax, dword ptr fs:[00000030h]10_2_02FB07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F5D7B0 mov eax, dword ptr fs:[00000030h]10_2_02F5D7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F7BA mov eax, dword ptr fs:[00000030h]10_2_02F2F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F7BA mov eax, dword ptr fs:[00000030h]10_2_02F2F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F7BA mov eax, dword ptr fs:[00000030h]10_2_02F2F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F7BA mov eax, dword ptr fs:[00000030h]10_2_02F2F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F7BA mov eax, dword ptr fs:[00000030h]10_2_02F2F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F7BA mov eax, dword ptr fs:[00000030h]10_2_02F2F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F7BA mov eax, dword ptr fs:[00000030h]10_2_02F2F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F7BA mov eax, dword ptr fs:[00000030h]10_2_02F2F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2F7BA mov eax, dword ptr fs:[00000030h]10_2_02F2F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB97A9 mov eax, dword ptr fs:[00000030h]10_2_02FB97A9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FBF7AF mov eax, dword ptr fs:[00000030h]10_2_02FBF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FBF7AF mov eax, dword ptr fs:[00000030h]10_2_02FBF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FBF7AF mov eax, dword ptr fs:[00000030h]10_2_02FBF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FBF7AF mov eax, dword ptr fs:[00000030h]10_2_02FBF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FBF7AF mov eax, dword ptr fs:[00000030h]10_2_02FBF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F307AF mov eax, dword ptr fs:[00000030h]10_2_02F307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FEF78A mov eax, dword ptr fs:[00000030h]10_2_02FEF78A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F38770 mov eax, dword ptr fs:[00000030h]10_2_02F38770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F40770 mov eax, dword ptr fs:[00000030h]10_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F40770 mov eax, dword ptr fs:[00000030h]10_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F40770 mov eax, dword ptr fs:[00000030h]10_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F40770 mov eax, dword ptr fs:[00000030h]10_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F40770 mov eax, dword ptr fs:[00000030h]10_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F40770 mov eax, dword ptr fs:[00000030h]10_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F40770 mov eax, dword ptr fs:[00000030h]10_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F40770 mov eax, dword ptr fs:[00000030h]10_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F40770 mov eax, dword ptr fs:[00000030h]10_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F40770 mov eax, dword ptr fs:[00000030h]10_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F40770 mov eax, dword ptr fs:[00000030h]10_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F40770 mov eax, dword ptr fs:[00000030h]10_2_02F40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2B765 mov eax, dword ptr fs:[00000030h]10_2_02F2B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2B765 mov eax, dword ptr fs:[00000030h]10_2_02F2B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2B765 mov eax, dword ptr fs:[00000030h]10_2_02F2B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2B765 mov eax, dword ptr fs:[00000030h]10_2_02F2B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F30750 mov eax, dword ptr fs:[00000030h]10_2_02F30750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72750 mov eax, dword ptr fs:[00000030h]10_2_02F72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F72750 mov eax, dword ptr fs:[00000030h]10_2_02F72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FB4755 mov eax, dword ptr fs:[00000030h]10_2_02FB4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F43740 mov eax, dword ptr fs:[00000030h]10_2_02F43740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F43740 mov eax, dword ptr fs:[00000030h]10_2_02F43740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F43740 mov eax, dword ptr fs:[00000030h]10_2_02F43740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6674D mov esi, dword ptr fs:[00000030h]10_2_02F6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6674D mov eax, dword ptr fs:[00000030h]10_2_02F6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6674D mov eax, dword ptr fs:[00000030h]10_2_02F6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F29730 mov eax, dword ptr fs:[00000030h]10_2_02F29730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F29730 mov eax, dword ptr fs:[00000030h]10_2_02F29730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F65734 mov eax, dword ptr fs:[00000030h]10_2_02F65734
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3973A mov eax, dword ptr fs:[00000030h]10_2_02F3973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F3973A mov eax, dword ptr fs:[00000030h]10_2_02F3973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6273C mov eax, dword ptr fs:[00000030h]10_2_02F6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6273C mov ecx, dword ptr fs:[00000030h]10_2_02F6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6273C mov eax, dword ptr fs:[00000030h]10_2_02F6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FAC730 mov eax, dword ptr fs:[00000030h]10_2_02FAC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FEF72E mov eax, dword ptr fs:[00000030h]10_2_02FEF72E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F33720 mov eax, dword ptr fs:[00000030h]10_2_02F33720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4F720 mov eax, dword ptr fs:[00000030h]10_2_02F4F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4F720 mov eax, dword ptr fs:[00000030h]10_2_02F4F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F4F720 mov eax, dword ptr fs:[00000030h]10_2_02F4F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02FF972B mov eax, dword ptr fs:[00000030h]10_2_02FF972B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6C720 mov eax, dword ptr fs:[00000030h]10_2_02F6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F6C720 mov eax, dword ptr fs:[00000030h]10_2_02F6C720
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtOpenKeyEx: Indirect: 0x140077B9BJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtQueryValueKey: Indirect: 0x140077C9FJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtClose: Indirect: 0x140077E81
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2519008Jump to behavior
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BzK8rQh2O3.exe"Jump to behavior
          Source: BzK8rQh2O3.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: C:\Users\user\Desktop\BzK8rQh2O3.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\AppVClient.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TSTB36B.tmp VolumeInformationJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TSTB37B.tmp VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\AppVClient.exeCode function: 6_2_00760080 VirtualFree,VirtualFree,VirtualAlloc,GetUserNameW,GetComputerNameW,GetComputerNameW,6_2_00760080

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 10.2.svchost.exe.2d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.svchost.exe.2d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.2005006372.0000000002D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2003602986.00000000002D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 10.2.svchost.exe.2d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.svchost.exe.2d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.2005006372.0000000002D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2003602986.00000000002D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Native API          		2
          LSASS Driver          		212
          Process Injection          		222
          Masquerading          		OS Credential Dumping221
          Security Software Discovery          		1
          Taint Shared Content          		1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Abuse Elevation Control Mechanism          		2
          Virtualization/Sandbox Evasion          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable Media2
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
          LSASS Driver          		212
          Process Injection          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive12
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		NTDS1
          Account Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Abuse Elevation Control Mechanism          		LSA Secrets1
          System Owner/User Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
          Obfuscated Files or Information          		Cached Domain Credentials111
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Software Packing          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Timestomp          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          DLL Side-Loading          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588590 Sample: BzK8rQh2O3.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 28 zlenh.biz 2->28 30 uhxqin.biz 2->30 32 5 other IPs or domains 2->32 38 Suricata IDS alerts for network traffic 2->38 40 Antivirus detection for URL or domain 2->40 42 Antivirus detection for dropped file 2->42 44 8 other signatures 2->44 7 BzK8rQh2O3.exe 3 2->7         started        12 AppVClient.exe 1 2->12         started        14 FXSSVC.exe 15 4 2->14         started        16 7 other processes 2->16 signatures3 process4 dnsIp5 34 ssbzmoy.biz 18.141.10.107, 49731, 49734, 49740 AMAZON-02US United States 7->34 36 pywolwnvd.biz 54.244.188.177, 49730, 49732, 49733 AMAZON-02US United States 7->36 20 C:\Windows\System32\alg.exe, PE32+ 7->20 dropped 22 C:\Windows\System32\FXSSVC.exe, PE32+ 7->22 dropped 24 DiagnosticsHub.Sta...llector.Service.exe, PE32+ 7->24 dropped 26 3 other malicious files 7->26 dropped 46 Binary is likely a compiled AutoIt script file 7->46 48 Writes to foreign memory regions 7->48 50 Maps a DLL or memory area into another process 7->50 62 3 other signatures 7->62 18 svchost.exe 7->18         started        52 Antivirus detection for dropped file 12->52 54 Creates files in the system32 config directory 12->54 56 Machine Learning detection for dropped file 12->56 58 Contains functionality to behave differently if execute on a Russian/Kazak computer 12->58 60 Found direct / indirect Syscall (likely to bypass EDR) 16->60 file6 signatures7 process8

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          BzK8rQh2O3.exe75%VirustotalBrowse
          BzK8rQh2O3.exe87%ReversingLabsWin32.Virus.Expiro
          BzK8rQh2O3.exe100%AviraW32/Infector.Gen
          BzK8rQh2O3.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Infector.Gen
          C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\AppVClient.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\FXSSVC.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\alg.exe100%AviraW32/Infector.Gen
          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
          C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe100%Joe Sandbox ML
          C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe100%Joe Sandbox ML
          C:\Windows\System32\AppVClient.exe100%Joe Sandbox ML
          C:\Windows\System32\FXSSVC.exe100%Joe Sandbox ML
          C:\Windows\System32\alg.exe100%Joe Sandbox ML

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://18.141.10.107:80/ahu0%Avira URL Cloudsafe
          http://54.244.188.177/sqhuoucbvpfptw100%Avira URL Cloudmalware
          http://54.244.188.177/sqhuoucbvpfptwW100%Avira URL Cloudmalware
          http://18.141.10.107/ahuM-0%Avira URL Cloudsafe
          http://54.244.188.177/H100%Avira URL Cloudmalware
          http://54.244.188.177/x100%Avira URL Cloudmalware
          http://54.244.188.177:80/sqhuoucbvpfptws100%Avira URL Cloudmalware
          http://schemas.micrXXG0%Avira URL Cloudsafe
          http://18.141.10.107/ahu0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          cvgrf.biz
          		54.244.188.177
          		truefalse
            		high
            pwlqfu.biz
            		34.246.200.160
            		truefalse
              		high
              ssbzmoy.biz
              		18.141.10.107
              		truefalse
                		high
                pywolwnvd.biz
                		54.244.188.177
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://wllvnzb.biz/wxwlgrofalse
                    		high
                    http://lrxdmhrr.biz/hnkfalse
                      		high
                      http://dwrqljrr.biz/jhjqfhvnwcnnmfalse
                        		high
                        http://knjghuig.biz/mygkicdwtcskafalse
                          		high
                          http://warkcdu.biz/wdqbfpacfalse
                            		high
                            http://rynmcq.biz/tebnqgyfalse
                              		high
                              http://knjghuig.biz/afalse
                                		high
                                http://acwjcqqv.biz/cvgvkeodaeofalse
                                  		high
                                  http://cvgrf.biz/flkkbmligcvmrctjfalse
                                    		high
                                    http://oshhkdluh.biz/jetrwdoymgqweqlrfalse
                                      		high
                                      http://rynmcq.biz/lglaocayhhpbnifalse
                                        		high
                                        http://ssbzmoy.biz/ggjlwfalse
                                          		high
                                          http://pywolwnvd.biz/sqhuoucbvpfptwfalse
                                            		high
                                            http://vcddkls.biz/eicnkswtpuoihirfalse
                                              		high
                                              http://pywolwnvd.biz/nxbrnchslffalse
                                                		high
                                                http://eufxebus.biz/bjgvdeudffalse
                                                  		high
                                                  http://cvgrf.biz/dufkpolfalse
                                                    		high
                                                    http://ssbzmoy.biz/ahufalse
                                                      		high

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      http://54.244.188.177/sqhuoucbvpfptwBzK8rQh2O3.exe, 00000000.00000003.1733011212.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736030447.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1757872961.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1743530984.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1743990008.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1734456516.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1734887127.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736030447.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1757872961.0000000000B84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://54.244.188.177:80/sqhuoucbvpfptwsBzK8rQh2O3.exe, 00000000.00000003.1757872961.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1743990008.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736030447.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1734887127.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1734456516.0000000000C00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://18.141.10.107/ahuM-BzK8rQh2O3.exe, 00000000.00000003.1758322463.0000000000B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://54.244.188.177/sqhuoucbvpfptwWBzK8rQh2O3.exe, 00000000.00000003.1733011212.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736030447.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1757872961.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1743530984.0000000000C77000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://18.141.10.107/ahuBzK8rQh2O3.exe, 00000000.00000003.1758322463.0000000000B6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://18.141.10.107:80/ahuBzK8rQh2O3.exe, 00000000.00000003.1757872961.0000000000BF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://18.141.10.107/BzK8rQh2O3.exe, 00000000.00000003.1758322463.0000000000B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://54.244.188.177/xBzK8rQh2O3.exe, 00000000.00000003.1733197857.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1744833710.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1734822770.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1744568591.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1745163536.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1737280802.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1746579812.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736599685.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1737178163.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1735908567.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736723081.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1758121231.0000000000DD4000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1733503393.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1745592328.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1745421290.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736845295.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1744676010.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1733825138.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1743165787.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1736468723.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, BzK8rQh2O3.exe, 00000000.00000003.1737068539.0000000000D8D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://54.244.188.177/HBzK8rQh2O3.exe, 00000000.00000003.1743530984.0000000000B62000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://schemas.micrXXGAppVClient.exe, 00000006.00000003.1740542601.0000000000575000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000006.00000003.1740328267.0000000000566000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000006.00000003.1739746989.0000000000510000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000006.00000002.1757094761.0000000000575000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000006.00000003.1740108258.0000000000517000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        54.244.188.177
                                                        		cvgrf.bizUnited States
                                                        		16509AMAZON-02USfalse
                                                        18.141.10.107
                                                        		ssbzmoy.bizUnited States
                                                        		16509AMAZON-02USfalse

                                                        General Information

                                                        Joe Sandbox version:42.0.0 Malachite
                                                        Analysis ID:1588590
                                                        Start date and time:2025-01-11 02:48:59 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 7m 44s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:14
                                                        Number of new started drivers analysed:3
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:BzK8rQh2O3.exe
                                                        renamed because original name is a hash value
                                                        Original Sample Name:03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe
                                                        Detection:MAL
                                                        Classification:mal100.spre.troj.expl.evad.winEXE@9/11@7/2
                                                        EGA Information:
                                                        • Successful, ratio: 100%
                                                        HCA Information:
                                                        • Successful, ratio: 70%
                                                        • Number of executed functions: 41
                                                        • Number of non-executed functions: 240
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, DiagnosticsHub.StandardCollector.Service.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                        • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
                                                        • Excluded domains from analysis (whitelisted): uaafd.biz, slscr.update.microsoft.com, vjaxhpbji.biz, ytctnunms.biz, lrxdmhrr.biz, vrrazpdh.biz, tbjrpv.biz, hehckyov.biz, ocsp.digicert.com, xlfhhhm.biz, warkcdu.biz, npukfztj.biz, anpmnmxo.biz, sxmiywsfv.biz, przvgke.biz, ww7.przvgke.biz, dwrqljrr.biz, gytujflc.biz, gvijgjwkh.biz, zjbpaao.biz, gnqgo.biz, deoci.biz, iuzpxe.biz, nqwjmb.biz, wllvnzb.biz, lpuegx.biz, bumxkqgxu.biz, yhqqc.biz, vcddkls.biz, vyome.biz, dlynankz.biz, gcedd.biz, xccjj.biz, ww12.fwiwk.biz, oshhkdluh.biz, opowhhece.biz, jwkoeoqns.biz, jpskm.biz, ftxlah.biz, ifsaia.biz, uhxqin.biz, rynmcq.biz, oflybfv.biz, jhvzpcfg.biz, saytjshyf.biz, fwiwk.biz, typgfhb.biz, esuzf.biz, eufxebus.biz, ww7.fwiwk.biz, zlenh.biz, otelrules.azureedge.net, myups.biz, yauexmxk.biz, knjghuig.biz, yunalwv.biz, ctldl.windowsupdate.com, brsua.biz, fe3cr.delivery.mp.microsoft.com, ww12.przvgke.biz, mgmsclkyu.biz, qaynky.biz, lejtdj.biz, qpnczch.biz, mnjmhp.biz, acwjcqqv.biz, jdhhbs.biz
                                                        • Not all processes where analyzed, report is missing behavior information

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        20:49:56API Interceptor2x Sleep call for process: BzK8rQh2O3.exe modified
                                                        20:50:19API Interceptor3x Sleep call for process: svchost.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        54.244.188.177uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
                                                        • pywolwnvd.biz/exqctojotladvua
                                                        LiuUGJK9vH.exeGet hashmaliciousFormBookBrowse
                                                        • pywolwnvd.biz/hdjf
                                                        UaOJAOMxcU.exeGet hashmaliciousFormBookBrowse
                                                        • pywolwnvd.biz/rhimsaly
                                                        SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                                                        • cvgrf.biz/kmpia
                                                        I3LPkQh2an.exeGet hashmaliciousFormBookBrowse
                                                        • lrxdmhrr.biz/rwlfutjcp
                                                        OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                                                        • pywolwnvd.biz/wlyolqts
                                                        RJKUWSGxej.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                                        • lrxdmhrr.biz/tbbwyfgx
                                                        PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                        • lrxdmhrr.biz/fncvigkebkn
                                                        REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                        • cvgrf.biz/dy
                                                        HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                        • cvgrf.biz/ubwy
                                                        18.141.10.107uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
                                                        • ssbzmoy.biz/dwlowhbefckeyd
                                                        LiuUGJK9vH.exeGet hashmaliciousFormBookBrowse
                                                        • ssbzmoy.biz/rai
                                                        SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                                                        • knjghuig.biz/wmfptllh
                                                        I3LPkQh2an.exeGet hashmaliciousFormBookBrowse
                                                        • warkcdu.biz/gloumaahxxajxf
                                                        RJKUWSGxej.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                                        • warkcdu.biz/d
                                                        PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                        • vcddkls.biz/we
                                                        REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                        • vcddkls.biz/kknpblsbxdrrjko
                                                        HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                        • knjghuig.biz/nfm
                                                        INV_NE_02_2034388.exeGet hashmaliciousFormBookBrowse
                                                        • vcddkls.biz/x
                                                        Shipment Notification.exeGet hashmaliciousFormBookBrowse
                                                        • knjghuig.biz/hsyjdjsftfdjf

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        cvgrf.bizSABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                                                        • 54.244.188.177
                                                        I3LPkQh2an.exeGet hashmaliciousFormBookBrowse
                                                        • 54.244.188.177
                                                        RJKUWSGxej.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                                        • 54.244.188.177
                                                        PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                        • 54.244.188.177
                                                        REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                        • 54.244.188.177
                                                        HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                        • 54.244.188.177
                                                        INV_NE_02_2034388.exeGet hashmaliciousFormBookBrowse
                                                        • 54.244.188.177
                                                        HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                        • 54.244.188.177
                                                        HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                        • 54.244.188.177
                                                        PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                        • 54.244.188.177
                                                        pwlqfu.bizOrder SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                        • 34.246.200.160
                                                        Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                        • 34.246.200.160
                                                        Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                        • 34.246.200.160
                                                        AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                        • 34.246.200.160
                                                        E_dekont.cmdGet hashmaliciousDBatLoader, Nitol, PureLog Stealer, XWormBrowse
                                                        • 34.246.200.160
                                                        Y2EM7suNV5.exeGet hashmaliciousMassLogger RATBrowse
                                                        • 34.246.200.160
                                                        AsusSetup.exeGet hashmaliciousUnknownBrowse
                                                        • 34.246.200.160
                                                        SetupRST.exeGet hashmaliciousUnknownBrowse
                                                        • 34.246.200.160
                                                        AsusSetup.exeGet hashmaliciousUnknownBrowse
                                                        • 34.246.200.160
                                                        PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                        • 34.246.200.160
                                                        ssbzmoy.bizuG3I84bQEr.exeGet hashmaliciousFormBookBrowse
                                                        • 18.141.10.107
                                                        LiuUGJK9vH.exeGet hashmaliciousFormBookBrowse
                                                        • 18.141.10.107
                                                        UaOJAOMxcU.exeGet hashmaliciousFormBookBrowse
                                                        • 18.141.10.107
                                                        SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                                                        • 18.141.10.107
                                                        I3LPkQh2an.exeGet hashmaliciousFormBookBrowse
                                                        • 18.141.10.107
                                                        OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                                                        • 18.141.10.107
                                                        RJKUWSGxej.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                                        • 18.141.10.107
                                                        PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                        • 18.141.10.107
                                                        REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                        • 18.141.10.107
                                                        HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                        • 18.141.10.107

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        AMAZON-02USk9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                        • 18.163.74.139
                                                        e47m9W6JGQ.exeGet hashmaliciousFormBookBrowse
                                                        • 13.248.169.48
                                                        XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                        • 18.163.74.139
                                                        http://www.jadavisinjurylawyers.com/Get hashmaliciousUnknownBrowse
                                                        • 54.231.128.160
                                                        uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
                                                        • 18.141.10.107
                                                        https://noiclethomas.wixsite.com/riceGet hashmaliciousUnknownBrowse
                                                        • 99.86.4.105
                                                        phish_alert_sp2_2.0.0.0(4).emlGet hashmaliciousUnknownBrowse
                                                        • 108.128.172.10
                                                        https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                                        • 52.208.198.158
                                                        https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                                        • 13.32.110.93
                                                        https://maya-lopez.filemail.com/t/XhcWEjoRGet hashmaliciousUnknownBrowse
                                                        • 108.138.26.78
                                                        AMAZON-02USk9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                        • 18.163.74.139
                                                        e47m9W6JGQ.exeGet hashmaliciousFormBookBrowse
                                                        • 13.248.169.48
                                                        XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                        • 18.163.74.139
                                                        http://www.jadavisinjurylawyers.com/Get hashmaliciousUnknownBrowse
                                                        • 54.231.128.160
                                                        uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
                                                        • 18.141.10.107
                                                        https://noiclethomas.wixsite.com/riceGet hashmaliciousUnknownBrowse
                                                        • 99.86.4.105
                                                        phish_alert_sp2_2.0.0.0(4).emlGet hashmaliciousUnknownBrowse
                                                        • 108.128.172.10
                                                        https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                                        • 52.208.198.158
                                                        https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
                                                        • 13.32.110.93
                                                        https://maya-lopez.filemail.com/t/XhcWEjoRGet hashmaliciousUnknownBrowse
                                                        • 108.138.26.78

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\BzK8rQh2O3.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1658880
                                                        Entropy (8bit):4.312996351424848
                                                        Encrypted:false
                                                        SSDEEP:24576:RxGBcmlwVg9N9JMlDlfjRiVuVsWt5MJMs:HGy+ggFIDRRAubt5M
                                                        MD5:224A86FD89B67F5874BE745F454A29D5
                                                        SHA1:37844AA75DB9C76439D8E7D1F414EB0E2D0091ED
                                                        SHA-256:579F86CD3F0B41ED3F05F2FD1ECDC65B0BC1BB97929D7517D2E9E11EAAC5270D
                                                        SHA-512:5F96DBBDB8E593ADC1CF58C9EFC86E6BECEAF2CAAE6594220A7ED7EAED2DD647994C8C7CAB3DAA758A3300E04814044B634B251A346CD9FDBEC4E155068C9C3E
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        Reputation:low
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@.................................It......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...............`..............@...........................................................................................................................................................................................................................................................

                                                        C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

                                                        Download File
                                                        Process:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):3141
                                                        Entropy (8bit):4.737568639004171
                                                        Encrypted:false
                                                        SSDEEP:24:X2+dc24V2d2y2n02j2zRt2ZWt32k2ZWmI32+n2E2h2Bq252T2ZWq32oB25L2ZWlL:lM6RlBmiwy2L13qgmXncD
                                                        MD5:2E168BFD7AE988AB627B20425C08203A
                                                        SHA1:51138B389DC4B72A693328A71F22675BDCD031C0
                                                        SHA-256:8C27F8508BEBFA2F892B93F34B38E19751C610EC88A0A19B034D34754BC5221B
                                                        SHA-512:0DC09D650E873D7E635B8692B095F3A876F673B68312A888C7E12B3D10D19830A96036D48B80E8F17B4DB64F6F31F01F29D7686D783A095AFE99708FB61FD735
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:2025-01-10 20:50:01-0500: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2025-01-10 20:50:01-0500: Disabled unneeded token privilege: SeAuditPrivilege...2025-01-10 20:50:01-0500: Disabled unneeded token privilege: SeBackupPrivilege...2025-01-10 20:50:01-0500: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2025-01-10 20:50:01-0500: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2025-01-10 20:50:01-0500: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2025-01-10 20:50:01-0500: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2025-01-10 20:50:01-0500: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2025-01-10 20:50:01-0500: Disabled unneeded token privilege: SeDebugPrivilege...2025-01-10 20:50:01-0500: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2025-01-10 20:50:01-0500: Disabled unneeded token privilege: SeImpersonatePrivilege...2025-01-10 20:50:0

                                                        C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\BzK8rQh2O3.exe
                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                        Category:modified
                                                        Size (bytes):2370560
                                                        Entropy (8bit):7.031528446206911
                                                        Encrypted:false
                                                        SSDEEP:49152:KAMsOu3JfCIGnZuTodRFYKBrFDbWpkgFIDRRAubt5M:KAMa38ZuTSkUf
                                                        MD5:CD0215EA00A7CAEBDBEBFE7618F12C90
                                                        SHA1:403F57E590318469933C364687085964AB67856A
                                                        SHA-256:219C40B294CE2C88AD96CCACC2CE8B639020A9C6A2DDFA2C8CE3369FFE60F8F5
                                                        SHA-512:AD54AE10FAB3EBE389EAC5FAB4E2168B55C776340997DBA16AA277EA56B2C8CBC8D9D685C4E4CF1E454EA49E935A336E1C5594C9A1739E2CD5EA8D71D94CE317
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        Reputation:low
                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e..........".................0..........@..............................%....._.$... ..........................................}..Z...Z}...............@..`...................$k.......................j..(.......@............... ............................text...V........................... ..`.rdata..Hv.......x..................@..@.data...t....`.......>..............@....pdata..`....@.......6..............@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.....@...........................tls....A....P......................@..._RDATA..\....`....... ..............@..@malloc_h.....p.......".............. ..`.rsrc................$..............@..@.reloc...............<..............@...........................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\atule

                                                        Download File
                                                        Process:C:\Users\user\Desktop\BzK8rQh2O3.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):289280
                                                        Entropy (8bit):7.993580951705767
                                                        Encrypted:true
                                                        SSDEEP:6144:z9e8YMSdo5IqUnCzZncpf2XNwueyWJWRcCNmgSwhBrOwk52+vNl:uMSW5cnqZsu9uyCWRcGmjwBawkH
                                                        MD5:1C512AD2627ECC378C15052A42BE284F
                                                        SHA1:FC8A97B57B84A884CC7BBDC288CA7230B979A1B6
                                                        SHA-256:2844B278776AF0B0477C05612988360B8C548A3FFF7C562C9B68D9AF644962E1
                                                        SHA-512:48B594604EAAD5859565D6E1BB604F214FDCADED13BEF4FCBE6B20723D99CFDF4200BEB7BB1445AC8A36B62F8DF8FFEC9391DD4AEF92D1E685B210BA0BC05A0A
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:...QJ7XES66D.BH.I7XEW66.7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XE.66D9O.FQ.>.d.7z...*!"iG**0DW).3#&?&Cx'2.D1Yp+&q.x.e:YR!.]OBuI7XEW66=6Y.u1..e%0..$P.X....8".,...l"/.S..kVQ.e9! l)P.EW66D7PB..I7.DV6.2..BHQI7XEW.6F6[CCQIo\EW66D7PBH.]7XEG66DGTBHQ.7XUW66F7PDHQI7XEW06D7PBHQIG\EW46D7PBHSIw.EW&6D'PBHQY7XUW66D7PRHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBH.=R 1W660`TBHAI7X.S66T7PBHQI7XEW66D7pBH1I7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D

                                                        C:\Users\user\AppData\Local\Temp\aut9C87.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\BzK8rQh2O3.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):289280
                                                        Entropy (8bit):7.993580951705767
                                                        Encrypted:true
                                                        SSDEEP:6144:z9e8YMSdo5IqUnCzZncpf2XNwueyWJWRcCNmgSwhBrOwk52+vNl:uMSW5cnqZsu9uyCWRcGmjwBawkH
                                                        MD5:1C512AD2627ECC378C15052A42BE284F
                                                        SHA1:FC8A97B57B84A884CC7BBDC288CA7230B979A1B6
                                                        SHA-256:2844B278776AF0B0477C05612988360B8C548A3FFF7C562C9B68D9AF644962E1
                                                        SHA-512:48B594604EAAD5859565D6E1BB604F214FDCADED13BEF4FCBE6B20723D99CFDF4200BEB7BB1445AC8A36B62F8DF8FFEC9391DD4AEF92D1E685B210BA0BC05A0A
                                                        Malicious:false
                                                        Preview:...QJ7XES66D.BH.I7XEW66.7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XE.66D9O.FQ.>.d.7z...*!"iG**0DW).3#&?&Cx'2.D1Yp+&q.x.e:YR!.]OBuI7XEW66=6Y.u1..e%0..$P.X....8".,...l"/.S..kVQ.e9! l)P.EW66D7PB..I7.DV6.2..BHQI7XEW.6F6[CCQIo\EW66D7PBH.]7XEG66DGTBHQ.7XUW66F7PDHQI7XEW06D7PBHQIG\EW46D7PBHSIw.EW&6D'PBHQY7XUW66D7PRHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBH.=R 1W660`TBHAI7X.S66T7PBHQI7XEW66D7pBH1I7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D7PBHQI7XEW66D

                                                        C:\Users\user\AppData\Roaming\8227aa636967b89b.bin

                                                        Download File
                                                        Process:C:\Users\user\Desktop\BzK8rQh2O3.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):12320
                                                        Entropy (8bit):7.987403208748677
                                                        Encrypted:false
                                                        SSDEEP:384:1Bt8uuybXIbaQ4659U06e5kWm8wW/6WjovYWl1PHc:1AuuCMFkCO1PHc
                                                        MD5:B16A42E2096B72979B35BAF9CFF24BA3
                                                        SHA1:D1421621BCBC8AF84252862F3151D06FEA833660
                                                        SHA-256:6BD2EE4260A1CD3D9DBDA92CAA0FAF96951F394FE06399EF734452971B2D617C
                                                        SHA-512:99618EACDCAE3E1700CE7E5ADE71E0B2E67F928C32FBD7FDB5CB5FB53136530C799961C887BEB6E17BCB8FA4E42DC9C3A5E42AFF592BCEF50D72B1A546AEA6A1
                                                        Malicious:false
                                                        Preview:....0.Q.8..s...F..w._.A...;..Yp={5.{;*..Y.p.)...."Bs.}....hqLz............h%u.`..._b>*P.F...'.m...f......_..T...l.G.U$ut..}2."7...(O!.U.%.7x.6/\.o.L5..H....K....".AHG...<L...".8.lHz.*)...Sv..+..,..T....I.g.;.{.B{j.{..D5.9.z..0..SoD.z.7`1.JT.d..m.....(vY..s@;.u....Y\.*X....^;...phS.`..T..a...Z...{b......d..`.>8......6F.K..$..^.T.F-.....?....z4._...."..8ZEK....c....n>...Z.)o.}..%UJC........]N/.V.|K:....!..X|...E]q.........?.....{..l.@..D....e`....@.........u..d))...>....o.O...c....F..=..2.yf....=..N@'.(.jS..m`............}.m....35p.j.,EFR... J....O........W..v...i..R.A.=.|9&I..-.i..1..../..s>26..M.....N.G...*.'......_.k.;.k....n.q}..i.s?...~.<.= ..u..T....KT....Au.UA..l.k...#.|..!......uu..7...Q,.1..{No...K`.d7~.|...o ..=.....L..i*M..;...3^......R...y.m.N.x.=..cC.@.YB...H."..9....{.0HE.%...+.Q^\n.....m...........R..:.....#W..h._>.2...Bo.x...a..=.7EHSsR....Sb.e.J.hi.. ...x#=.b.p.,Hf}...A....(.4.......T.#2b...A..S...#c..[....#.......,....nx

                                                        C:\Windows\System32\AppVClient.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\BzK8rQh2O3.exe
                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1348608
                                                        Entropy (8bit):7.251540161898657
                                                        Encrypted:false
                                                        SSDEEP:24576:AQW4qoNUgslKNX0Ip0MgHCpoMBOutVg9N9JMlDlfjRiVuVsWt5MJMs:AQW9BKNX0IPgiKMBOuHgFIDRRAubt5M
                                                        MD5:DCB9DA31B5D9BF73EFE42CD201A3C555
                                                        SHA1:32C22E96CD68DB6B2FD652B6B37F9EAFDAA4B454
                                                        SHA-256:53597C33761F053B094F28F5154E0573F18135FE8873CC178919416BF5F7496C
                                                        SHA-512:98A99AA8814211807030A3FC67B9837EBDF44C530FF204782B88ECABD71D2F9CB8440DA63BAFAB4DC25E8467DEE04D462CF9604556379D0AA42C99A927382CC9
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@.....................................h.... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                                        C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\BzK8rQh2O3.exe
                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1592832
                                                        Entropy (8bit):4.174818739239532
                                                        Encrypted:false
                                                        SSDEEP:24576:q2G7AbHjkWVg9N9JMlDlfjRiVuVsWt5MJMs:q2G7AbHjJgFIDRRAubt5M
                                                        MD5:424D1BEA7155A3906C3FDDFEE3419252
                                                        SHA1:8057E2881A407ECD4701EB0C2B3659E178CECFEC
                                                        SHA-256:0E67CDFEDE2EB94EE6B28977C0CBF1D929BCB9F5456D5347BFCC8775755440F4
                                                        SHA-512:000CCF21298ADE8DC94A2BE052FEB1154628FB25F4AE61E83990E8D72A99BA9BBB73FD25924E6D801586EFC6A0E075C92A6BEC2F0946B0FA366C9622C1873BB4
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@.......................................... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...............n..............@...........................................................................................................................................................................................................................................................

                                                        C:\Windows\System32\FXSSVC.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\BzK8rQh2O3.exe
                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1242624
                                                        Entropy (8bit):7.287652076829233
                                                        Encrypted:false
                                                        SSDEEP:24576:7kdpSI+K3S/GWei+qNv2wG3+Vg9N9JMlDlfjRiVuVsWt5MJMs:76SIGGWei2wG36gFIDRRAubt5M
                                                        MD5:BD4426E495F8ADB5F861A87A8F767BF5
                                                        SHA1:15257A786FBC5BC6DC3BB365DE3EE1A77C186E39
                                                        SHA-256:1540E507B28F48F7A0FA8CD650B34EEFDB680E20ABAFBF1EC8AAAB3ABC78ED81
                                                        SHA-512:90B9137F85E0E1E3663C0A32F6C6F2347B312EC52B9D6A3CD95ABCE96DED715EBAF1BD55EEE1B456133EB3EEA5FA9FB7CC340197C6B6A2DAC21C8E4893656952
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}x..}x..}x...{..}x...|..}x...y..}x..}y.x|x...p..}x...}..}x......}x...z..}x.Rich.}x.................PE..d................."...... .....................@.............................P............ ..................................................{..h....P...........1......................T...........................pk...............l.......{..@....................text...Y........ .................. ..`.rdata..2u...0...v...$..............@..@.data... H.......<..................@....pdata...1.......2..................@..@.didat.......@......................@....rsrc........P......................@..@.reloc.......`......................@...................................................................................................................................................................................................................................

                                                        C:\Windows\System32\alg.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\BzK8rQh2O3.exe
                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1594368
                                                        Entropy (8bit):4.175670713227469
                                                        Encrypted:false
                                                        SSDEEP:12288:gEP3RFpV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:7FTVg9N9JMlDlfjRiVuVsWt5MJMs
                                                        MD5:AFF3175576D4CDBFB3592C3E3BEE84D7
                                                        SHA1:DE4133CC207403F4A717949138B1867E75E4DA04
                                                        SHA-256:443AD55E576194E7A7854A3FB4D2EE0726782F4FAC305104F41ED1653640A5C2
                                                        SHA-512:26E1DCA42384F91AAA533BF88E74A4F40F6244F750FB7A36AEFA0039BD59AFF8389F6189B6D27F28433288C20E49B2C63E7AC46798043713936E7E06BDD65D4B
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@.....................................<.... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...............t..............@...................................................................................................................................................................................................................................

                                                        C:\Windows\System32\config\systemprofile\AppData\Roaming\8227aa636967b89b.bin

                                                        Download File
                                                        Process:C:\Windows\System32\AppVClient.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):12320
                                                        Entropy (8bit):7.9856338998831
                                                        Encrypted:false
                                                        SSDEEP:192:L4rDsW2n/qNdUJiaw0TsUPRGXw5Gwz1N8GRwqC+VvY25j9owPQHByVfDqJZ0tpsz:kfsWyiNowRUGwjDjCMF5lQHBydDqsMzn
                                                        MD5:032679FA7E48B36276BFDB0A99753E31
                                                        SHA1:D3E462287D2763AF7DC33A9B64D555EBCB8B6176
                                                        SHA-256:218F6444742E74374A4049E6541206C9BB85400BDFF5AFA53E8AE4BA2B6CC4E0
                                                        SHA-512:320385FB6C0EB60525CB2C00B6A2D1770E76F1203DE8C8090315ACBE445256100B168168BB26F4E5A2D0176D7E2662227A6DB323C4B600BCD6A1A0C39F49CDEB
                                                        Malicious:false
                                                        Preview:1...Q..?..D....OR.x. .n)P..(.0(...\{T.#BH5..]K..\H.......P./.}nO>.x*..^f.T...4...?..%.....K.1.L8c....`.F, .'....FU.Ii..lz..8....r.CL......r.3..n..l......=.<.....o.Z.d..0.....)...(.]x........s.`.j..o..4q..s.J.......B.bdK$3.`Gb]K.hd..C.d....SgRH..K.a..|1I#C.....z...O..~<$.......H.........g...)...~..]...Y..h....q..ocU.(.se........".(D..../e;..p...y.mG..k j].iGTk.i5..[...[L....a..v_...+!..j.....z.NB....8&..xs..0?)....|~f...{r....,..Na.X...d....na=.nP.?......X.].!.........VSW..1.......1...v.Yr.&^n.....$5...jl\.F./....o.TW."x..K:#.&*..#G..e.^..#.-.8.Z....l...W.P....Xm..............".....S.....t.....^....J......~.B0.!s.-;*.b.%..CB^...b..e.lA...Cx.nz7....0>.?..>...*...q..,....B.......,...^.y^#=..0..vSu...Z......j...6k..=..n..Jdd).......M[..mMF....Q.A"=v..........n....X.T;...3..m.].....:.L.R..b./.s?.`B...?.8B...44....../Q.ZW..u.(+ ..g.>.I..A.)iS.OS..N.+...KR..+!....X/..8b..V,T..I..|.f.H...0N.p)..~`./.d.t=...ry>t(...&x.>v.kvy.....bH.v..z..^...+....7.

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):7.52193281223966
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:BzK8rQh2O3.exe
                                                        File size:1'801'216 bytes
                                                        MD5:de74305f29857f83bc99d71524a8842b
                                                        SHA1:dd587bd360b681b2ec73bb7bcfc871f8fe981ae0
                                                        SHA256:03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc
                                                        SHA512:2b520fa8669c8b212608f9d09d22329e8bcdfe890aca3e047122e552afdc18f32c1032f4ea6c0e67d4e6515c35278d40afff41639159ec738766c3eb846e28ab
                                                        SSDEEP:49152:pW0c++OCvkGs9Fal24JLo3jIJxDYwgFIDRRAubt5M:4B3vkJ9khPvoUf
                                                        TLSH:0185E02273CDC361CB669173BF6AB7016E7B7C610630B85B2F940D7DA960172262D7A3
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                        File Icon

                                                        Icon Hash:aaf3e3e3938382a0

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x427dcd
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x6750E5B2 [Wed Dec 4 23:28:50 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:5
                                                        OS Version Minor:1
                                                        File Version Major:5
                                                        File Version Minor:1
                                                        Subsystem Version Major:5
                                                        Subsystem Version Minor:1
                                                        Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                        Entrypoint Preview

                                                        Instruction
                                                        call 00007F3CD4B33E2Ah
                                                        jmp 00007F3CD4B26BF4h
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        push edi
                                                        push esi
                                                        mov esi, dword ptr [esp+10h]
                                                        mov ecx, dword ptr [esp+14h]
                                                        mov edi, dword ptr [esp+0Ch]
                                                        mov eax, ecx
                                                        mov edx, ecx
                                                        add eax, esi
                                                        cmp edi, esi
                                                        jbe 00007F3CD4B26D7Ah
                                                        cmp edi, eax
                                                        jc 00007F3CD4B270DEh
                                                        bt dword ptr [004C31FCh], 01h
                                                        jnc 00007F3CD4B26D79h
                                                        rep movsb
                                                        jmp 00007F3CD4B2708Ch
                                                        cmp ecx, 00000080h
                                                        jc 00007F3CD4B26F44h
                                                        mov eax, edi
                                                        xor eax, esi
                                                        test eax, 0000000Fh
                                                        jne 00007F3CD4B26D80h
                                                        bt dword ptr [004BE324h], 01h
                                                        jc 00007F3CD4B27250h
                                                        bt dword ptr [004C31FCh], 00000000h
                                                        jnc 00007F3CD4B26F1Dh
                                                        test edi, 00000003h
                                                        jne 00007F3CD4B26F2Eh
                                                        test esi, 00000003h
                                                        jne 00007F3CD4B26F0Dh
                                                        bt edi, 02h
                                                        jnc 00007F3CD4B26D7Fh
                                                        mov eax, dword ptr [esi]
                                                        sub ecx, 04h
                                                        lea esi, dword ptr [esi+04h]
                                                        mov dword ptr [edi], eax
                                                        lea edi, dword ptr [edi+04h]
                                                        bt edi, 03h
                                                        jnc 00007F3CD4B26D83h
                                                        movq xmm1, qword ptr [esi]
                                                        sub ecx, 08h
                                                        lea esi, dword ptr [esi+08h]
                                                        movq qword ptr [edi], xmm1
                                                        lea edi, dword ptr [edi+08h]
                                                        test esi, 00000007h
                                                        je 00007F3CD4B26DD5h
                                                        bt esi, 03h
                                                        jnc 00007F3CD4B26E28h

                                                        Rich Headers

                                                        Programming Language:
                                                        • [ASM] VS2013 build 21005
                                                        • [ C ] VS2013 build 21005
                                                        • [C++] VS2013 build 21005
                                                        • [ C ] VS2008 SP1 build 30729
                                                        • [IMP] VS2008 SP1 build 30729
                                                        • [ASM] VS2013 UPD4 build 31101
                                                        • [RES] VS2013 build 21005
                                                        • [LNK] VS2013 UPD4 build 31101

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x6145c.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x8dcc40x8de00fa73b15dfd2617ec81babd6c86443ff5False0.5728679102422908data6.676132368411128IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0xc70000x6145c0x6160048d05d556b9aab113670c8e9062582f8False0.9320919247432606data7.904774381562474IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x1290000x960000x95000374b49f3fe0882fc2ec5d0f652373c4cFalse0.9757530673238255data7.938057904352507IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                        RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                        RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                        RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                        RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                        RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                        RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                        RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                        RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                        RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                        RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                        RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                        RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                        RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                        RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                        RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                        RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                        RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                        RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                        RT_RCDATA0xcf7b80x58723data1.0003340004140502
                                                        RT_GROUP_ICON0x127edc0x76dataEnglishGreat Britain0.6610169491525424
                                                        RT_GROUP_ICON0x127f540x14dataEnglishGreat Britain1.25
                                                        RT_GROUP_ICON0x127f680x14dataEnglishGreat Britain1.15
                                                        RT_GROUP_ICON0x127f7c0x14dataEnglishGreat Britain1.25
                                                        RT_VERSION0x127f900xdcdataEnglishGreat Britain0.6181818181818182
                                                        RT_MANIFEST0x12806c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                        Imports

                                                        DLLImport
                                                        WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                        VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                        MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                        WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                        PSAPI.DLLGetProcessMemoryInfo
                                                        IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                        USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                        UxTheme.dllIsThemeActive
                                                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                        USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                        GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                        COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                        OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishGreat Britain

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2025-01-11T02:49:57.902719+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.44973054.244.188.17780TCP
                                                        2025-01-11T02:49:57.909523+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz154.244.188.17780192.168.2.449730TCP
                                                        2025-01-11T02:49:57.909523+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst154.244.188.17780192.168.2.449730TCP
                                                        2025-01-11T02:50:03.763330+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz144.221.84.10580192.168.2.449736TCP
                                                        2025-01-11T02:50:03.763330+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst144.221.84.10580192.168.2.449736TCP
                                                        2025-01-11T02:50:03.847049+01002051648ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)1192.168.2.4533491.1.1.153UDP
                                                        2025-01-11T02:50:06.393768+01002051649ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)1192.168.2.4651091.1.1.153UDP
                                                        2025-01-11T02:50:45.124526+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz118.141.10.10780192.168.2.449755TCP
                                                        2025-01-11T02:50:45.124526+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst118.141.10.10780192.168.2.449755TCP
                                                        2025-01-11T02:50:48.867179+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz134.246.200.16080192.168.2.449759TCP
                                                        2025-01-11T02:50:48.867179+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst134.246.200.16080192.168.2.449759TCP
                                                        2025-01-11T02:50:49.525304+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz134.227.7.13880192.168.2.449760TCP
                                                        2025-01-11T02:50:49.525304+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst134.227.7.13880192.168.2.449760TCP
                                                        2025-01-11T02:50:52.151278+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz113.251.16.15080192.168.2.449764TCP
                                                        2025-01-11T02:50:52.151278+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst113.251.16.15080192.168.2.449764TCP
                                                        2025-01-11T02:50:55.203379+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz135.164.78.20080192.168.2.449791TCP
                                                        2025-01-11T02:50:55.203379+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst135.164.78.20080192.168.2.449791TCP
                                                        2025-01-11T02:50:56.180580+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz13.94.10.3480192.168.2.449800TCP
                                                        2025-01-11T02:50:56.180580+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst13.94.10.3480192.168.2.449800TCP
                                                        2025-01-11T02:51:00.242871+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz118.246.231.12080192.168.2.449825TCP
                                                        2025-01-11T02:51:00.242871+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst118.246.231.12080192.168.2.449825TCP
                                                        2025-01-11T02:51:01.113608+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.44983054.244.188.17780TCP
                                                        2025-01-11T02:51:13.607166+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz147.129.31.21280192.168.2.449915TCP
                                                        2025-01-11T02:51:13.607166+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst147.129.31.21280192.168.2.449915TCP
                                                        2025-01-11T02:51:19.427594+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz13.254.94.18580192.168.2.449961TCP
                                                        2025-01-11T02:51:19.427594+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst13.254.94.18580192.168.2.449961TCP
                                                        2025-01-11T02:51:58.092153+01002051651ET MALWARE DNS Query to Expiro Domain (eufxebus .biz)1192.168.2.4576181.1.1.153UDP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 11, 2025 02:49:57.182037115 CET4973080192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:49:57.187077999 CET804973054.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:49:57.187148094 CET4973080192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:49:57.239729881 CET4973080192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:49:57.239775896 CET4973080192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:49:57.244692087 CET804973054.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:49:57.244725943 CET804973054.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:49:57.902586937 CET804973054.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:49:57.902637959 CET804973054.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:49:57.902719021 CET4973080192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:49:57.904740095 CET4973080192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:49:57.909523010 CET804973054.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:49:58.233901024 CET4973180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:49:58.238821030 CET804973118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:49:58.238920927 CET4973180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:49:58.246318102 CET4973180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:49:58.246344090 CET4973180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:49:58.251183987 CET804973118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:49:58.251198053 CET804973118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:49:59.641352892 CET804973118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:49:59.641501904 CET804973118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:49:59.641537905 CET4973180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:49:59.641566038 CET4973180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:49:59.646327019 CET804973118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:49:59.652374029 CET4973280192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:49:59.658303976 CET804973254.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:49:59.658397913 CET4973280192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:49:59.658651114 CET4973280192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:49:59.658675909 CET4973280192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:49:59.664443016 CET804973254.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:49:59.664453983 CET804973254.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:49:59.666965961 CET4973380192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:49:59.672786951 CET804973354.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:49:59.672883987 CET4973380192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:49:59.673257113 CET4973380192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:49:59.673310041 CET4973380192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:49:59.677974939 CET804973354.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:49:59.678035021 CET804973354.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:00.372627020 CET804973254.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:00.372940063 CET804973254.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:00.373017073 CET4973280192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:00.373830080 CET4973280192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:00.378884077 CET804973254.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:00.391931057 CET804973354.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:00.392021894 CET804973354.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:00.392087936 CET4973380192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:00.393910885 CET4973380192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:00.437582970 CET4973480192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:00.442574978 CET804973418.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:00.442656040 CET4973480192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:00.443238974 CET4973480192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:00.443238974 CET4973480192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:00.448118925 CET804973418.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:00.448128939 CET804973418.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:01.808655024 CET804973418.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:01.808808088 CET804973418.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:01.809087992 CET4973480192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:01.826257944 CET4973480192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:01.831904888 CET804973418.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:02.342480898 CET4973580192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:02.347280979 CET804973554.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:02.347378016 CET4973580192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:02.351572037 CET4973580192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:02.351593018 CET4973580192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:02.356327057 CET804973554.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:02.356340885 CET804973554.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:03.071651936 CET804973554.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:03.071778059 CET804973554.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:03.071974039 CET4973580192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:03.126991987 CET4973580192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:03.131803036 CET804973554.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:06.417067051 CET4974080192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:06.422027111 CET804974018.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:06.422120094 CET4974080192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:06.453170061 CET4974080192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:06.453217030 CET4974080192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:06.458234072 CET804974018.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:06.458276033 CET804974018.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:07.822432041 CET804974018.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:07.822460890 CET804974018.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:07.822576046 CET4974080192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:07.830287933 CET4974080192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:07.835352898 CET804974018.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:08.008878946 CET4974180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:08.013911963 CET804974118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:08.014087915 CET4974180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:08.015928984 CET4974180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:08.015949011 CET4974180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:08.020776033 CET804974118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:08.020790100 CET804974118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:09.399013996 CET804974118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:09.399077892 CET804974118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:09.399142027 CET4974180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:09.399275064 CET4974180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:09.403984070 CET804974118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:43.735536098 CET4975580192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:43.740478039 CET804975518.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:43.742069006 CET4975580192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:43.742433071 CET4975580192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:43.742461920 CET4975580192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:43.747266054 CET804975518.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:43.747281075 CET804975518.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:45.119539022 CET804975518.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:45.119570971 CET804975518.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:45.119642019 CET4975580192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:45.119745016 CET4975580192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:50:45.124526024 CET804975518.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:50:53.342444897 CET4978480192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:53.347362041 CET804978454.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:53.347548962 CET4978480192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:53.347573042 CET4978480192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:53.347711086 CET4978480192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:53.352379084 CET804978454.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:53.352459908 CET804978454.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:54.054244995 CET804978454.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:54.054291964 CET804978454.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:54.054333925 CET4978480192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:54.083955050 CET4978480192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:54.088846922 CET804978454.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:57.702322006 CET4981480192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:57.707190990 CET804981454.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:57.707268000 CET4981480192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:57.707410097 CET4981480192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:57.707427025 CET4981480192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:57.712246895 CET804981454.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:57.712274075 CET804981454.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:58.435395956 CET804981454.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:58.435576916 CET4981480192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:58.435631990 CET804981454.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:50:58.435686111 CET4981480192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:50:58.440417051 CET804981454.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:51:00.345407963 CET4983080192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:51:00.350631952 CET804983054.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:51:00.350718021 CET4983080192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:51:00.352384090 CET4983080192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:51:00.352397919 CET4983080192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:51:00.357189894 CET804983054.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:51:00.357201099 CET804983054.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:51:01.113457918 CET804983054.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:51:01.113579035 CET804983054.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:51:01.113607883 CET4983080192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:51:01.113640070 CET4983080192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:51:01.118423939 CET804983054.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:51:01.334744930 CET4983880192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:01.339757919 CET804983818.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:01.339907885 CET4983880192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:01.340063095 CET4983880192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:01.340074062 CET4983880192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:01.344922066 CET804983818.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:01.344952106 CET804983818.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:02.717515945 CET804983818.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:02.717564106 CET804983818.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:02.717694044 CET4983880192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:02.717725992 CET4983880192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:02.722569942 CET804983818.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:04.809648991 CET4986180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:04.814488888 CET804986118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:04.814558983 CET4986180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:04.814688921 CET4986180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:04.814711094 CET4986180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:04.819542885 CET804986118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:04.819554090 CET804986118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:06.198239088 CET804986118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:06.198429108 CET804986118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:06.198489904 CET4986180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:06.201776981 CET4986180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:06.206551075 CET804986118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:28.505872965 CET5002980192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:28.522465944 CET805002918.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:28.522609949 CET5002980192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:28.522826910 CET5002980192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:28.522828102 CET5002980192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:28.536164045 CET805002918.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:28.543730021 CET805002918.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:29.895215034 CET805002918.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:29.895227909 CET805002918.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:29.895323038 CET5002980192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:29.895371914 CET5002980192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:29.905991077 CET805002918.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:55.081115007 CET5006880192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:51:55.087677956 CET805006854.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:51:55.087759972 CET5006880192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:51:55.087930918 CET5006880192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:51:55.087943077 CET5006880192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:51:55.093096972 CET805006854.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:51:55.093111992 CET805006854.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:51:55.637948990 CET5006880192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:51:55.641285896 CET5006980192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:51:55.646470070 CET805006954.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:51:55.650871038 CET5006980192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:51:55.651063919 CET5006980192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:51:55.651084900 CET5006980192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:51:55.655848026 CET805006954.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:51:55.655873060 CET805006954.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:51:56.363780975 CET805006954.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:51:56.363924026 CET805006954.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:51:56.363989115 CET5006980192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:51:56.364620924 CET5006980192.168.2.454.244.188.177
                                                        Jan 11, 2025 02:51:56.372178078 CET805006954.244.188.177192.168.2.4
                                                        Jan 11, 2025 02:51:58.284117937 CET5007180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:58.289499044 CET805007118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:58.289603949 CET5007180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:58.289725065 CET5007180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:58.289741993 CET5007180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:58.294934988 CET805007118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:58.294944048 CET805007118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:59.657460928 CET805007118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:59.657627106 CET805007118.141.10.107192.168.2.4
                                                        Jan 11, 2025 02:51:59.657732010 CET5007180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:59.725112915 CET5007180192.168.2.418.141.10.107
                                                        Jan 11, 2025 02:51:59.730592966 CET805007118.141.10.107192.168.2.4

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 11, 2025 02:49:55.064074039 CET6055053192.168.2.41.1.1.1
                                                        Jan 11, 2025 02:49:55.070911884 CET53605501.1.1.1192.168.2.4
                                                        Jan 11, 2025 02:49:58.076605082 CET6026753192.168.2.41.1.1.1
                                                        Jan 11, 2025 02:49:58.083894014 CET53602671.1.1.1192.168.2.4
                                                        Jan 11, 2025 02:49:59.421711922 CET4945753192.168.2.41.1.1.1
                                                        Jan 11, 2025 02:49:59.602212906 CET53494571.1.1.1192.168.2.4
                                                        Jan 11, 2025 02:49:59.650095940 CET6428353192.168.2.41.1.1.1
                                                        Jan 11, 2025 02:49:59.657921076 CET53642831.1.1.1192.168.2.4
                                                        Jan 11, 2025 02:50:00.408363104 CET5530853192.168.2.41.1.1.1
                                                        Jan 11, 2025 02:50:00.415395021 CET53553081.1.1.1192.168.2.4
                                                        Jan 11, 2025 02:50:02.121021986 CET5115553192.168.2.41.1.1.1
                                                        Jan 11, 2025 02:50:02.128346920 CET53511551.1.1.1192.168.2.4
                                                        Jan 11, 2025 02:50:06.393011093 CET53565941.1.1.1192.168.2.4
                                                        Jan 11, 2025 02:50:09.468667030 CET53639501.1.1.1192.168.2.4
                                                        Jan 11, 2025 02:50:09.478501081 CET53653971.1.1.1192.168.2.4
                                                        Jan 11, 2025 02:51:06.229120016 CET53546771.1.1.1192.168.2.4
                                                        Jan 11, 2025 02:51:26.103368998 CET53575431.1.1.1192.168.2.4
                                                        Jan 11, 2025 02:51:59.725712061 CET5551453192.168.2.41.1.1.1
                                                        Jan 11, 2025 02:51:59.733494043 CET53555141.1.1.1192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Jan 11, 2025 02:49:55.064074039 CET192.168.2.41.1.1.10x4b23Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                        Jan 11, 2025 02:49:58.076605082 CET192.168.2.41.1.1.10x56f9Standard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                                        Jan 11, 2025 02:49:59.421711922 CET192.168.2.41.1.1.10x9670Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                        Jan 11, 2025 02:49:59.650095940 CET192.168.2.41.1.1.10xce8eStandard query (0)cvgrf.bizA (IP address)IN (0x0001)false
                                                        Jan 11, 2025 02:50:00.408363104 CET192.168.2.41.1.1.10x6ec8Standard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                                        Jan 11, 2025 02:50:02.121021986 CET192.168.2.41.1.1.10xdc67Standard query (0)cvgrf.bizA (IP address)IN (0x0001)false
                                                        Jan 11, 2025 02:51:59.725712061 CET192.168.2.41.1.1.10x98bfStandard query (0)pwlqfu.bizA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Jan 11, 2025 02:49:55.070911884 CET1.1.1.1192.168.2.40x4b23No error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 02:49:58.083894014 CET1.1.1.1192.168.2.40x56f9No error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 02:49:59.602212906 CET1.1.1.1192.168.2.40x9670No error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 02:49:59.657921076 CET1.1.1.1192.168.2.40xce8eNo error (0)cvgrf.biz54.244.188.177A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 02:50:00.415395021 CET1.1.1.1192.168.2.40x6ec8No error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 02:50:02.128346920 CET1.1.1.1192.168.2.40xdc67No error (0)cvgrf.biz54.244.188.177A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 02:50:06.393011093 CET1.1.1.1192.168.2.40x2e8cName error (3)zlenh.biznonenoneA (IP address)IN (0x0001)false
                                                        Jan 11, 2025 02:50:09.468667030 CET1.1.1.1192.168.2.40x38a9Name error (3)uhxqin.biznonenoneA (IP address)IN (0x0001)false
                                                        Jan 11, 2025 02:50:09.478501081 CET1.1.1.1192.168.2.40x3164Name error (3)anpmnmxo.biznonenoneA (IP address)IN (0x0001)false
                                                        Jan 11, 2025 02:51:59.733494043 CET1.1.1.1192.168.2.40x98bfNo error (0)pwlqfu.biz34.246.200.160A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • pywolwnvd.biz
                                                        • ssbzmoy.biz
                                                        • cvgrf.biz
                                                        • knjghuig.biz
                                                        • vcddkls.biz
                                                        • dwrqljrr.biz
                                                        • oshhkdluh.biz
                                                        • lrxdmhrr.biz
                                                        • wllvnzb.biz
                                                        • acwjcqqv.biz
                                                        • warkcdu.biz
                                                        • rynmcq.biz
                                                        • eufxebus.biz

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.44973054.244.188.177803748C:\Users\user\Desktop\BzK8rQh2O3.exe
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 02:49:57.239729881 CET359OUTPOST /sqhuoucbvpfptw HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        Host: pywolwnvd.biz
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                        Content-Length: 800
                                                        Jan 11, 2025 02:49:57.239775896 CET800OUTData Raw: 07 f7 4b d3 e2 2e 94 6f 14 03 00 00 14 42 41 a1 b0 fd dc b4 6d 95 f7 94 9c f6 ef 51 c8 61 f2 f3 a4 d6 99 ca 16 14 54 98 a2 d8 77 fe f0 9d fd c1 c2 e8 f4 18 76 da 74 d2 cc b5 c5 47 45 df d0 dc 77 03 4d 39 56 03 28 6a 9e fe 3e d5 0f 5c 25 7e 2c 32
                                                        Data Ascii: K.oBAmQaTwvtGEwM9V(j>\%~,2"^fC]/wa,`@H86#"G$GNM\c?(uQZG{#KbN+lH{9aqAWiT2>Ak3
                                                        Jan 11, 2025 02:49:57.902586937 CET413INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Sat, 11 Jan 2025 01:49:57 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: btst=55d89a1c91491eab853aa90bbc2fbf10|8.46.123.189|1736560197|1736560197|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.44973118.141.10.107803748C:\Users\user\Desktop\BzK8rQh2O3.exe
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 02:49:58.246318102 CET346OUTPOST /ahu HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        Host: ssbzmoy.biz
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                        Content-Length: 800
                                                        Jan 11, 2025 02:49:58.246344090 CET800OUTData Raw: 5c cb e9 f9 7d 05 a5 d1 14 03 00 00 1e 6e 33 9c e3 4f 19 8e c8 ad 81 8f ec c4 7b 68 96 eb 13 91 52 a2 f9 53 ee 38 2d 0d e5 f0 a7 13 bd a8 94 d7 71 86 61 e7 c9 99 2f a6 ff 8b 80 57 4f 93 62 ab 06 62 32 00 fd 3d 10 b1 82 7d a2 0b 40 59 9d c3 82 27
                                                        Data Ascii: \}n3O{hRS8-qa/WObb2=}@Y'jtae1q^5)[2ya`}FifOhZ,R#n<bTXkZc,Gb)$!/K]I*1X:QE>:#6M?*F+PJh[SR39'b
                                                        Jan 11, 2025 02:49:59.641352892 CET411INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Sat, 11 Jan 2025 01:49:59 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: btst=9e7e97df5d8d1fb12480acdb23281677|8.46.123.189|1736560199|1736560199|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.44973254.244.188.17780
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 02:49:59.658651114 CET355OUTPOST /nxbrnchslf HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        Host: pywolwnvd.biz
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                        Content-Length: 874
                                                        Jan 11, 2025 02:49:59.658675909 CET874OUTData Raw: 7e bd ca f4 73 34 a9 d1 5e 03 00 00 5a 5e 0b 6e e6 3c 47 6c cd a1 d0 eb 21 2b 2d c5 cf b3 39 1b 54 08 fa 1b 86 32 19 cc fc 3f 73 34 29 1f 8c a5 10 b5 21 e0 48 02 39 3b 6b 19 da f1 1a 1f f5 af 49 d3 4a 6a 1b 51 53 96 02 a9 b8 93 33 76 61 6c 65 00
                                                        Data Ascii: ~s4^Z^n<Gl!+-9T2?s4)!H9;kIJjQS3valeQWzS@@VRu~G:Oc#8HAEdBA`}hq71W`e}P6l[??C0|TKiJBMH5:Md
                                                        Jan 11, 2025 02:50:00.372627020 CET413INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Sat, 11 Jan 2025 01:50:00 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: btst=6de47d8ddd0813bd180efd24cad336f2|8.46.123.189|1736560200|1736560200|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.44973354.244.188.177803748C:\Users\user\Desktop\BzK8rQh2O3.exe
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 02:49:59.673257113 CET357OUTPOST /flkkbmligcvmrctj HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        Host: cvgrf.biz
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                        Content-Length: 800
                                                        Jan 11, 2025 02:49:59.673310041 CET800OUTData Raw: 2f b5 65 be ea 6f b0 b2 14 03 00 00 b5 86 a3 42 3b a6 38 0c 92 a4 07 c3 bd 66 45 cd e8 58 01 47 58 7c 02 7e 07 93 da b1 05 d5 d7 e3 89 bd 29 a4 58 a9 1a 23 d2 35 e7 e3 37 c1 31 22 90 83 e2 e5 4a de 4b 3c 62 4a 58 55 92 f0 20 33 06 39 3d bf 7a e2
                                                        Data Ascii: /eoB;8fEXGX|~)X#571"JK<bJXU 39=z|V1O ifE9ReWHH8f0j.W0Jo$iVtT(>gH}r|}[5}L1<d3c5Fg<vGB"RXgkd>
                                                        Jan 11, 2025 02:50:00.391931057 CET409INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Sat, 11 Jan 2025 01:50:00 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: btst=09cca80dea83057d593a00c42d8523f8|8.46.123.189|1736560200|1736560200|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.2.44973418.141.10.10780
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 02:50:00.443238974 CET348OUTPOST /ggjlw HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        Host: ssbzmoy.biz
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                        Content-Length: 874
                                                        Jan 11, 2025 02:50:00.443238974 CET874OUTData Raw: a9 8d fb d1 9f 37 98 63 5e 03 00 00 69 4a 41 a0 38 7d e5 27 c9 50 ec b3 8e e4 e9 d8 97 69 dd 33 fd 66 8f 11 e4 00 cf 47 d0 f2 2a 20 85 fc bf f1 d7 9f 5a eb 34 92 d9 c7 3d 0d b1 bb 97 50 78 1b 01 8c 38 8f 95 9b 76 48 62 cf fe 26 64 39 18 82 92 88
                                                        Data Ascii: 7c^iJA8}'Pi3fG* Z4=Px8vHb&d9aW&II)RTQM6@FmC>64&\hs whMIL2q7vPeUnV0",YNKAjwoh Ng]'j=[Cx
                                                        Jan 11, 2025 02:50:01.808655024 CET411INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Sat, 11 Jan 2025 01:50:01 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: btst=e19a54547053b3473824b9ec1383a7cb|8.46.123.189|1736560201|1736560201|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        5192.168.2.44973554.244.188.17780
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 02:50:02.351572037 CET348OUTPOST /dufkpol HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        Host: cvgrf.biz
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                        Content-Length: 874
                                                        Jan 11, 2025 02:50:02.351593018 CET874OUTData Raw: 8d 9e 44 73 6f 11 de 0d 5e 03 00 00 47 86 b0 ed d2 b2 12 61 5c 34 2c b5 de f5 e9 8b b5 ff e1 d7 d1 a7 63 60 ee ca 68 4b a9 24 51 d9 eb 63 82 e2 be 22 2c a1 f0 39 a5 51 1c fe d3 ca 9f b1 a2 6c 1b 08 45 3b 8d ff be db c3 60 f7 21 21 e8 35 8d 10 10
                                                        Data Ascii: Dso^Ga\4,c`hK$Qc",9QlE;`!!5a/XiSFWX7=yM5E#CRU9J_u`8Nw)'M(@,{+qd;c7,zkgS6<Tc~KG/j
                                                        Jan 11, 2025 02:50:03.071651936 CET409INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Sat, 11 Jan 2025 01:50:02 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: btst=8b1ca85f03e9615bf9eadc758bed3772|8.46.123.189|1736560202|1736560202|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        6192.168.2.44974018.141.10.10780
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 02:50:06.453170061 CET345OUTPOST /a HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        Host: knjghuig.biz
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                        Content-Length: 874
                                                        Jan 11, 2025 02:50:06.453217030 CET874OUTData Raw: 71 99 3f 22 66 7f 77 f8 5e 03 00 00 05 e6 07 1a 73 15 37 78 6c c3 f8 b9 07 0c b5 9a 5a 8f cf e3 82 c6 f2 b6 e4 99 2f a5 d4 78 8d 5a 05 4a b3 4d b8 d7 7e ce 3c 9b 3d 01 ce ae 55 56 52 46 99 ea 21 8f 44 88 89 7e ab 93 1a fb ca 04 e9 2a 30 65 5a 23
                                                        Data Ascii: q?"fw^s7xlZ/xZJM~<=UVRF!D~*0eZ#3/yCH6sBWH@SxnN{|my (!}bLxbtH^E4#Qpdq3:V#V,%/nN[>5V+v}1YIkF]=kO~?=oSf]
                                                        Jan 11, 2025 02:50:07.822432041 CET412INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Sat, 11 Jan 2025 01:50:07 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: btst=4cbbbd81f41ff5871a96d92571e5d708|8.46.123.189|1736560207|1736560207|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        7192.168.2.44974118.141.10.10780
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 02:50:08.015928984 CET357OUTPOST /mygkicdwtcska HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        Host: knjghuig.biz
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                        Content-Length: 874
                                                        Jan 11, 2025 02:50:08.015949011 CET874OUTData Raw: ac 0f c0 d0 26 c0 91 f0 5e 03 00 00 b5 f3 70 20 43 b1 cf e0 8a 33 b0 bd d3 a3 22 f3 31 aa 5f 87 c8 72 8b d5 8b ba a1 dd 7c f6 6c ce 62 4c 70 a4 7f 4c 56 c9 fd 70 d4 50 5a fe 0e aa 24 ee e3 4c f4 ce 05 21 8a f9 41 ec 50 e1 7f 37 5e 1b 92 ae 2b b4
                                                        Data Ascii: &^p C3"1_r|lbLpLVpPZ$L!AP7^+$$1KGp=`5BKdBJ{by"}zRQT,3`h9p<\hjOeIegnZlhYj2?00OpRoJ
                                                        Jan 11, 2025 02:50:09.399013996 CET412INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Sat, 11 Jan 2025 01:50:09 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: btst=9e26fe48445e9284a5a5b3a1761b633b|8.46.123.189|1736560209|1736560209|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        8192.168.2.44975518.141.10.10780
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 02:50:43.742433071 CET358OUTPOST /eicnkswtpuoihir HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        Host: vcddkls.biz
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                        Content-Length: 874
                                                        Jan 11, 2025 02:50:43.742461920 CET874OUTData Raw: b4 78 c5 be 26 27 e9 03 5e 03 00 00 a7 0b 3e c9 0b 2f 24 a0 db 96 5e c1 ea 57 62 a6 bc 97 ad 9a 8a 97 84 29 a4 c8 5a 63 6e 44 52 ae 2d 53 e2 02 db fb 38 cd 1f ad 78 42 0e 4f 96 1c 76 30 fb 21 94 06 47 f9 ca 89 e8 06 27 10 b7 46 2c 0c 20 92 d8 1a
                                                        Data Ascii: x&'^>/$^Wb)ZcnDR-S8xBOv0!G'F, @xc0` nussc'&g0R`l'OdAZ0o(M&zCmz"`z3fm;s_>L1P#yUL1mo
                                                        Jan 11, 2025 02:50:45.119539022 CET411INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Sat, 11 Jan 2025 01:50:44 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: btst=fea0ab05360ae207ae67092ffa1c0cbd|8.46.123.189|1736560244|1736560244|0|1|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        9192.168.2.44978454.244.188.17780
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 02:50:53.347573042 CET357OUTPOST /jhjqfhvnwcnnm HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        Host: dwrqljrr.biz
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                        Content-Length: 874
                                                        Jan 11, 2025 02:50:53.347711086 CET874OUTData Raw: b3 78 70 de 00 09 90 4b 5e 03 00 00 e9 6e 43 b6 93 05 d5 52 3d 76 56 8a 33 02 8f 05 a6 25 15 ef ec 23 e4 5a 90 18 cb f6 e0 79 a4 78 8e f0 33 63 98 fd bc 6c f7 52 a9 20 ef 14 07 2f 5d bc 0e c2 b9 66 0b 2f 38 79 aa 29 ae 9d 79 3a 33 e2 ae 96 58 0a
                                                        Data Ascii: xpK^nCR=vV3%#Zyx3clR /]f/8y)y:3Xu=ak96#gR=%RTap|.SN3r"b}f30SK/^J+U:A(X,v \x]2m05(wMe!c0]A?_0)p
                                                        Jan 11, 2025 02:50:54.054244995 CET412INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Sat, 11 Jan 2025 01:50:53 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: btst=cf829eec168a0e99f7a2696966ce388d|8.46.123.189|1736560253|1736560253|0|1|0; path=/; domain=.dwrqljrr.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        10192.168.2.44981454.244.188.17780
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 02:50:57.707410097 CET361OUTPOST /jetrwdoymgqweqlr HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        Host: oshhkdluh.biz
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                        Content-Length: 874
                                                        Jan 11, 2025 02:50:57.707427025 CET874OUTData Raw: a9 b2 3b a0 a2 79 10 e8 5e 03 00 00 f2 77 01 d6 22 2a ad a5 c1 6c b4 67 c9 b6 82 40 b4 3e 58 1c 41 30 2d 58 a4 52 1a e8 1f 88 fb 3d 40 26 db 84 e2 ed a5 a0 f0 f0 3f 00 95 8c b1 18 c3 b1 a1 ba 73 ba 39 66 3d 51 ca 95 86 e8 c2 ee 4d 5f 0a 54 51 df
                                                        Data Ascii: ;y^w"*lg@>XA0-XR=@&?s9f=QM_TQ!{eCoRnM}]'l;F1S3qxbLM[.H-Q&UNXYb*1C,H{Ui~Gl9YZ@A_z!JKM,2 k4
                                                        Jan 11, 2025 02:50:58.435395956 CET413INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Sat, 11 Jan 2025 01:50:58 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: btst=f2a122b1141397bc7b35af99bf53c842|8.46.123.189|1736560258|1736560258|0|1|0; path=/; domain=.oshhkdluh.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        11192.168.2.44983054.244.188.17780
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 02:51:00.352384090 CET347OUTPOST /hnk HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        Host: lrxdmhrr.biz
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                        Content-Length: 874
                                                        Jan 11, 2025 02:51:00.352397919 CET874OUTData Raw: 80 44 2c 09 23 74 92 3a 5e 03 00 00 20 fe 84 e5 2b 1f 14 af 5d 19 d3 83 ad 3e a3 ed cf 7c 34 0e ff 3e 39 fc 45 ee 04 ec a2 b8 32 6c f4 e2 78 85 82 11 11 6d 0b e2 5f c9 31 1e 8d 1f 5b 45 2b a3 cf c8 77 e0 60 f8 87 ad 55 de 7a 8b 26 2d 95 ac 08 9e
                                                        Data Ascii: D,#t:^ +]>|4>9E2lxm_1[E+w`Uz&-QlgY7&L1 .,B"7,4^@r-<oP~kq%HUm"E4~`#'*+Nk7<q!\*}u\$UC*phg)L
                                                        Jan 11, 2025 02:51:01.113457918 CET412INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Sat, 11 Jan 2025 01:51:01 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: btst=82c2cee1488aa6bf6d2e41cd2c35ba1d|8.46.123.189|1736560261|1736560261|0|1|0; path=/; domain=.lrxdmhrr.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        12192.168.2.44983818.141.10.10780
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 02:51:01.340063095 CET350OUTPOST /wxwlgro HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        Host: wllvnzb.biz
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                        Content-Length: 874
                                                        Jan 11, 2025 02:51:01.340074062 CET874OUTData Raw: a4 43 4f 23 a8 47 4f 39 5e 03 00 00 fe 21 13 e1 40 dd 66 23 ab 34 0a d3 83 9e ec 19 95 45 e3 43 49 1e ad 7c cf d1 0a 7f 48 43 b7 7b 05 6e 0a 3c 32 0e ab da 8a 6c 7c 99 38 da a2 c0 85 bc 2e 2d ed 94 93 63 95 42 40 09 cc bf d9 f4 0b e2 ab 9d 90 0c
                                                        Data Ascii: CO#GO9^!@f#4ECI|HC{n<2l|8.-cB@?PGWFW<MBc;k~Nfg_ig,U:~[Bdo%VrX{^b0y]Uxw\1c]f&jM?+y\ kEW+(
                                                        Jan 11, 2025 02:51:02.717515945 CET411INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Sat, 11 Jan 2025 01:51:02 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: btst=8edf19648247c603f9925ec4a1012540|8.46.123.189|1736560262|1736560262|0|1|0; path=/; domain=.wllvnzb.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        13192.168.2.44986118.141.10.10780
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 02:51:04.814688921 CET355OUTPOST /cvgvkeodaeo HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        Host: acwjcqqv.biz
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                        Content-Length: 874
                                                        Jan 11, 2025 02:51:04.814711094 CET874OUTData Raw: 78 63 bd 95 c8 a8 8d 80 5e 03 00 00 cd be 3b 2f ce 65 11 87 86 9f 59 3b 9f 4b d1 92 69 a3 83 71 1b c1 1d 11 88 55 42 d1 d4 3a 12 d6 ba 1d de 57 5c e5 53 94 5d 7c 72 15 fd 15 d9 d7 e7 7f d3 b3 d0 db 76 d4 a5 d6 ab 77 09 95 1c c1 58 34 07 b1 ec 29
                                                        Data Ascii: xc^;/eY;KiqUB:W\S]|rvwX4)?jNGKy*+^O#_8{}!V?{/c+hm^8f,'D~(kQ41?vW{/+};'m-R<%Pm
                                                        Jan 11, 2025 02:51:06.198239088 CET412INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Sat, 11 Jan 2025 01:51:05 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: btst=394396800696cbda00453a5749ffb968|8.46.123.189|1736560265|1736560265|0|1|0; path=/; domain=.acwjcqqv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        14192.168.2.45002918.141.10.10780
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 02:51:28.522826910 CET351OUTPOST /wdqbfpac HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        Host: warkcdu.biz
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                        Content-Length: 874
                                                        Jan 11, 2025 02:51:28.522828102 CET874OUTData Raw: 57 6b 06 9a e2 71 3f 53 5e 03 00 00 9f 25 bf 45 4e d2 3e c9 97 33 2f 4b 3d fd f5 9e b9 ab 9b f5 4f 8c 3a 77 3e 2e df fa fe 09 6f fb f2 0b 18 e1 1f 4c 85 99 61 8c 1e aa 6b 64 37 d8 4c a4 3f 64 66 54 72 5d a1 f5 23 44 f3 e7 d7 6a 28 9a 2e b5 a1 1a
                                                        Data Ascii: Wkq?S^%EN>3/K=O:w>.oLakd7L?dfTr]#Dj(.Mx\(U}{Y+|$j)DA3QBs%_^+*ot!>'5,z92BK^"G@hdWsw=wTakKUctcE~0FxYF_0
                                                        Jan 11, 2025 02:51:29.895215034 CET411INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Sat, 11 Jan 2025 01:51:29 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: btst=412eb2087702cbbf2a98a66dbafee1a3|8.46.123.189|1736560289|1736560289|0|1|0; path=/; domain=.warkcdu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        15192.168.2.45006854.244.188.17780
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 02:51:55.087930918 CET349OUTPOST /tebnqgy HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        Host: rynmcq.biz
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                        Content-Length: 874
                                                        Jan 11, 2025 02:51:55.087943077 CET874OUTData Raw: 06 27 a8 ab 7c 27 bd 69 5e 03 00 00 0e 08 6f 06 37 aa b8 1c 73 15 48 0b d6 66 f5 70 a6 75 c6 c2 e6 78 f4 2d f3 0c e3 6c 9a 51 6c e9 8a 7b 7f 1b 06 ef bf 83 09 22 8a f8 57 06 bb 32 cb 47 35 5a c2 45 db 10 9f 49 93 9b ac 92 2e 71 3f 3f 7b 0e 76 47
                                                        Data Ascii: '|'i^o7sHfpux-lQl{"W2G5ZEI.q??{vGqNv4|0J4}}11f@b4F;wfW=@T8i*k*UdJ4wM+/'*X/!pQQOdqpcL,877'WfTS


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        16192.168.2.45006954.244.188.17780
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 02:51:55.651063919 CET356OUTPOST /lglaocayhhpbni HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        Host: rynmcq.biz
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                        Content-Length: 874
                                                        Jan 11, 2025 02:51:55.651084900 CET874OUTData Raw: 7d aa 75 09 a3 48 ab 7b 5e 03 00 00 3f 0f 9f 91 57 e5 09 77 16 6d ae f5 79 02 51 7c af 34 26 ae 22 18 fd 55 d9 bc 86 e2 c3 cd af da 9b b8 bd e5 99 86 cd f6 e0 8e 0c 10 57 57 76 29 c6 f3 4c bf b9 78 1b 7b a7 7a 7f 43 b3 0d 0f 56 f4 01 6f d5 27 5f
                                                        Data Ascii: }uH{^?WwmyQ|4&"UWWv)Lx{zCVo'_o6pM5W4Rd*~^HoyK7|4+&e8<Y@'1]Q,7Rs>MkDuVt;=`~ki(Lm|q ^69GH"JKms@A
                                                        Jan 11, 2025 02:51:56.363780975 CET410INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Sat, 11 Jan 2025 01:51:56 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: btst=15ab54c852d5c72727d40344700e8b65|8.46.123.189|1736560316|1736560316|0|1|0; path=/; domain=.rynmcq.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        17192.168.2.45007118.141.10.10780
                                                        TimestampBytes transferredDirectionData
                                                        Jan 11, 2025 02:51:58.289725065 CET353OUTPOST /bjgvdeudf HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        Host: eufxebus.biz
                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                        Content-Length: 874
                                                        Jan 11, 2025 02:51:58.289741993 CET874OUTData Raw: 0c d1 d2 91 ff df 34 04 5e 03 00 00 80 dc c0 d0 dc 53 33 ed fd ea 51 7e c9 e1 7d 76 e4 1a 8b ee 1d aa d2 82 b7 75 55 77 f6 93 fc 1c d1 7c 03 f6 6f 13 20 65 d6 57 6b 02 3e e4 3e 23 82 34 9c b5 cd 10 3b d3 e3 c4 f2 93 5a e0 29 cc c7 c0 35 e4 06 3d
                                                        Data Ascii: 4^S3Q~}vuUw|o eWk>>#4;Z)5=b^Q|l@LETbubBn9)g|N9HDfiL.Ahp~Vk^H;T)KIR_o2B5Gi"t[,GdzNLbeqaP54,5L<P`iTF
                                                        Jan 11, 2025 02:51:59.657460928 CET412INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Sat, 11 Jan 2025 01:51:59 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Set-Cookie: btst=da1bd7d99d0fc9eb3856877a718868f2|8.46.123.189|1736560319|1736560319|0|1|0; path=/; domain=.eufxebus.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:20:49:52
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\Desktop\BzK8rQh2O3.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\BzK8rQh2O3.exe"
                                                        Imagebase:0x400000
                                                        File size:1'801'216 bytes
                                                        MD5 hash:DE74305F29857F83BC99D71524A8842B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:1
                                                        Start time:20:49:53
                                                        Start date:10/01/2025
                                                        Path:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                                                        Imagebase:0x400000
                                                        File size:1'658'880 bytes
                                                        MD5 hash:224A86FD89B67F5874BE745F454A29D5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Avira
                                                        • Detection: 100%, Joe Sandbox ML
                                                        Reputation:low
                                                        Has exited:false

                                                        General

                                                        Target ID:2
                                                        Start time:20:49:53
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\System32\alg.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\alg.exe
                                                        Imagebase:0x140000000
                                                        File size:1'594'368 bytes
                                                        MD5 hash:AFF3175576D4CDBFB3592C3E3BEE84D7
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Avira
                                                        • Detection: 100%, Joe Sandbox ML
                                                        Reputation:low
                                                        Has exited:false

                                                        General

                                                        Target ID:3
                                                        Start time:20:49:55
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\System32\drivers\AppVStrm.sys
                                                        Wow64 process (32bit):
                                                        Commandline:
                                                        Imagebase:
                                                        File size:138'056 bytes
                                                        MD5 hash:BDA55F89B69757320BC125FF1CB53B26
                                                        Has elevated privileges:
                                                        Has administrator privileges:
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:false

                                                        General

                                                        Target ID:4
                                                        Start time:20:49:55
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\System32\drivers\AppvVemgr.sys
                                                        Wow64 process (32bit):
                                                        Commandline:
                                                        Imagebase:
                                                        File size:174'408 bytes
                                                        MD5 hash:E70EE9B57F8D771E2F4D6E6B535F6757
                                                        Has elevated privileges:
                                                        Has administrator privileges:
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:false

                                                        General

                                                        Target ID:5
                                                        Start time:20:49:55
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\System32\drivers\AppvVfs.sys
                                                        Wow64 process (32bit):
                                                        Commandline:
                                                        Imagebase:
                                                        File size:154'952 bytes
                                                        MD5 hash:2CBABD729D5E746B6BD8DC1B4B4DB1E1
                                                        Has elevated privileges:
                                                        Has administrator privileges:
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:false

                                                        General

                                                        Target ID:6
                                                        Start time:20:49:55
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\System32\AppVClient.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\AppVClient.exe
                                                        Imagebase:0x140000000
                                                        File size:1'348'608 bytes
                                                        MD5 hash:DCB9DA31B5D9BF73EFE42CD201A3C555
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Avira
                                                        • Detection: 100%, Joe Sandbox ML
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:20:49:58
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\System32\FXSSVC.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\fxssvc.exe
                                                        Imagebase:0x140000000
                                                        File size:1'242'624 bytes
                                                        MD5 hash:BD4426E495F8ADB5F861A87A8F767BF5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Avira
                                                        • Detection: 100%, Joe Sandbox ML
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:10
                                                        Start time:20:49:58
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\SysWOW64\svchost.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\BzK8rQh2O3.exe"
                                                        Imagebase:0x3f0000
                                                        File size:46'504 bytes
                                                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2005006372.0000000002D10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2003602986.00000000002D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:20:50:00
                                                        Start date:10/01/2025
                                                        Path:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
                                                        Imagebase:0x140000000
                                                        File size:2'354'176 bytes
                                                        MD5 hash:01AF1FD4DAF4AD21FE19952B19C40DC2
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:false

                                                        General

                                                        Target ID:12
                                                        Start time:20:50:01
                                                        Start date:10/01/2025
                                                        Path:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                                        Imagebase:0x140000000
                                                        File size:1'725'440 bytes
                                                        MD5 hash:FF9BB8830745BF559EF36B064C54358D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:4.2%
                                                          Dynamic/Decrypted Code Coverage:97.7%
                                                          Signature Coverage:9.1%
                                                          Total number of Nodes:88
                                                          Total number of Limit Nodes:1
                                                          execution_graph 5708 748090 5712 748075 5708->5712 5709 748186 CloseHandle 5709->5712 5710 7480ca GetTokenInformation 5710->5712 5711 7481ad GetTokenInformation 5711->5712 5712->5709 5712->5710 5712->5711 5713 7480a7 5712->5713 5750 7457f0 5751 7455ac 5750->5751 5751->5750 5753 7455e4 5751->5753 5754 763870 5751->5754 5755 763876 5754->5755 5757 763893 5755->5757 5758 763720 5755->5758 5757->5751 5760 750c42 5758->5760 5759 74e050 VirtualAlloc 5759->5760 5760->5758 5760->5759 5761 7637dd 5760->5761 5761->5757 5761->5761 5685 7481b1 5689 748075 5685->5689 5686 748186 CloseHandle 5686->5689 5687 7480ca GetTokenInformation 5687->5689 5688 7481ad GetTokenInformation 5688->5689 5689->5686 5689->5687 5689->5688 5690 7480a7 5689->5690 5705 7454c4 5707 7454c5 5705->5707 5706 745522 VirtualAlloc 5706->5707 5707->5706 5644 745b87 CreateThread 5645 745b1c 5644->5645 5653 745810 5644->5653 5646 745cdf CreateThread 5645->5646 5649 745c20 5645->5649 5647 745c01 5646->5647 5650 7454a0 5646->5650 5648 745c03 CloseHandle 5647->5648 5647->5649 5648->5649 5651 7454b5 5650->5651 5652 745522 VirtualAlloc 5651->5652 5652->5651 5654 745822 5653->5654 5655 745b00 5656 745bba 5655->5656 5663 7552c0 5656->5663 5658 745bc7 5662 745bde 5658->5662 5668 760080 5658->5668 5664 7552c6 5663->5664 5667 7552ce 5663->5667 5664->5667 5682 74e050 5664->5682 5667->5658 5673 760089 5668->5673 5669 7603e0 GetComputerNameW 5669->5673 5670 760181 VirtualFree 5670->5673 5671 74e050 VirtualAlloc 5671->5673 5672 7603bf GetUserNameW 5672->5673 5673->5669 5673->5670 5673->5671 5673->5672 5674 7604d6 GetComputerNameW 5673->5674 5675 745c7b 5673->5675 5674->5673 5676 748070 5675->5676 5680 748075 5676->5680 5677 748186 CloseHandle 5677->5680 5678 7480ca GetTokenInformation 5678->5680 5679 7481ad GetTokenInformation 5679->5680 5680->5677 5680->5678 5680->5679 5681 7480a7 5680->5681 5681->5662 5683 74e0c3 5682->5683 5684 74e0d8 VirtualAlloc 5683->5684 5684->5683 5698 745860 5699 7552c0 VirtualAlloc 5698->5699 5700 745869 5699->5700 5701 760080 5 API calls 5700->5701 5702 74587d 5701->5702 5703 748070 3 API calls 5702->5703 5704 745870 5703->5704 5691 745b42 5692 745b07 5691->5692 5692->5691 5693 745cdf CreateThread 5692->5693 5695 745b68 5692->5695 5694 745c01 5693->5694 5697 7454a0 VirtualAlloc 5693->5697 5694->5695 5696 745c03 CloseHandle 5694->5696 5695->5695 5696->5695 5762 745be2 5763 745bfc CloseHandle 5762->5763 5765 745be7 5762->5765 5763->5765 5766 7455ef 5767 7455ac 5766->5767 5768 763870 VirtualAlloc 5767->5768 5769 7455e4 5767->5769 5768->5767 5743 745b09 5744 745b16 5743->5744 5745 745cdf CreateThread 5744->5745 5748 745c20 5744->5748 5746 745c01 5745->5746 5749 7454a0 VirtualAlloc 5745->5749 5747 745c03 CloseHandle 5746->5747 5746->5748 5747->5748

                                                          Executed Functions

                                                          Function 00760080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 760080-760286 2 76028c 0->2 3 760099-760575 0->3 4 760445 2->4 7 760155 3->7 8 76057b 3->8 4->3 6 76044b-760457 4->6 10 760458-760472 GetComputerNameW 6->10 9 7602ef-760495 call 74e050 * 2 7->9 8->7 11 760581-760587 8->11 9->10 53 76043e 9->53 15 7603ee-7603f4 10->15 16 76024c-760253 10->16 13 76058b 11->13 18 760181 VirtualFree 13->18 19 76058c-760591 13->19 40 7600da-76023f 15->40 41 7603fa 15->41 20 7601e6 16->20 21 760255 16->21 23 7601a8-7602ac call 777164 18->23 24 760597 19->24 25 7604ab-7604af 19->25 30 7602b1-7602be 20->30 31 7601ec-760313 call 77715c 20->31 27 7602d3 21->27 23->30 24->25 26 76059d 24->26 43 7604c7 25->43 26->25 27->20 39 7602d9 27->39 36 7602c4 30->36 37 7603bf-7603d9 GetUserNameW 30->37 50 760318-76031e 31->50 36->37 45 7602ca 36->45 46 760331 37->46 39->9 40->16 54 760241-76024a 40->54 41->40 47 760400 41->47 58 7604cc-7604e6 call 779970 GetComputerNameW 43->58 45->27 51 760337 46->51 52 760171 46->52 55 76b1ee-76b49f 47->55 56 760324 50->56 57 760568-76056b 50->57 51->52 61 76033d 51->61 59 760173 52->59 60 76013f-760146 52->60 53->4 54->16 54->30 56->57 62 76032a 56->62 57->58 69 760131 58->69 70 7604ec-760514 58->70 64 760230 59->64 60->13 65 7605d0-7605d9 61->65 62->46 64->43 68 760236-7605c2 64->68 65->55 68->43 74 7605c8-7605c9 68->74 72 760137 69->72 73 760089-76008c 69->73 70->57 72->73 75 76013d 72->75 73->23 77 760092 73->77 74->65 75->18 75->60 77->23 78 760098 77->78 78->3
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1757447620.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_740000_AppVClient.jbxd
                                                          Similarity
                                                          • API ID: ComputerName
                                                          • String ID:
                                                          • API String ID: 3545744682-0
                                                          • Opcode ID: bedead01c1dc1848f45a379680a0d4ea3d4e28d5f80a8af917199885409c5e81
                                                          • Instruction ID: 31c99936c62a14167fa9e86b1e9a571dcc0829db343124c25cd51a6c1ff689fe
                                                          • Opcode Fuzzy Hash: bedead01c1dc1848f45a379680a0d4ea3d4e28d5f80a8af917199885409c5e81
                                                          • Instruction Fuzzy Hash: C1D1F231518B0D8FCB28EF58D8497EBB7E1FBA1310F58461EDC47C3265DA789A458AC2
                                                          Function 007452A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 316 7452a0-7453fe 321 745404-74540e 316->321 322 780d4c-780d4e 316->322 323 745424 321->323 324 74542a 323->324 325 74539b 323->325 324->325 326 745430-745443 324->326 327 745413-745419 325->327 328 74539d-7453a1 325->328 329 7453a7 328->329 330 7452b0-7452b5 328->330 329->330 331 7453ad 329->331 332 7453f3-7453f9 331->332 333 7453af 331->333 337 745355 332->337 338 74532a 332->338 334 7453e0-7453f1 333->334 334->327 334->332 341 7452d1-7452e7 337->341 342 7452e8-745363 337->342 338->337 340 74532c-74533f 338->340 343 74536b-745390 340->343 341->342 348 745365 342->348 349 7453d1-7453d5 342->349 350 745392-74539a 343->350 351 7453c3 343->351 348->349 352 745367-745369 348->352 349->328 353 7453d7 349->353 350->328 352->343 353->334 354 745342-745345 353->354 355 745400-74540e 354->355 356 74534b 354->356 355->323 356->355 357 745351-745353 356->357 357->337
                                                          APIs
                                                          • GetSystemDefaultLangID.KERNELBASE ref: 007453C4
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1757447620.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_740000_AppVClient.jbxd
                                                          Similarity
                                                          • API ID: DefaultLangSystem
                                                          • String ID:
                                                          • API String ID: 706401283-0
                                                          • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                          • Instruction ID: d771002238b0da58bf9280f5c12051464807bfaecf04c6e03cacf2915f1ea2df
                                                          • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                          • Instruction Fuzzy Hash: 9141F7A250DED58FD7264B2848643747BA0AB123EAF9D04E7D4C38B0E3E3DC4C859326
                                                          Function 00748070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 79 748070-74817e 81 748180 79->81 82 74813d-7481a5 79->82 81->82 85 748161 81->85 88 7481a7 82->88 89 7481bd-7481ca 82->89 87 748163-748170 call 777164 85->87 93 748186 CloseHandle 87->93 94 748172 87->94 96 7481d0 89->96 97 7480f3 89->97 95 74818c-748192 93->95 94->95 98 748194 95->98 99 748115-748118 95->99 109 7480c3 96->109 110 7481fe-748201 GetTokenInformation 96->110 100 7480f5 97->100 101 74808c 97->101 98->99 103 74819a 98->103 107 7480a7 99->107 108 748119-74811a 99->108 100->101 112 748077 100->112 105 74808e-748184 101->105 103->82 105->93 105->95 108->107 111 74811c 108->111 109->110 115 7480c9 109->115 116 74820f 110->116 125 7481b7 110->125 111->116 117 7481d7-7481de call 77715c 112->117 120 7480ca-7480d8 GetTokenInformation 115->120 116->105 122 748215-74821e 116->122 123 7481e3-7481e6 117->123 124 74810f 120->124 122->105 135 748224 122->135 123->120 137 748089 123->137 128 748111 124->128 129 74812d 124->129 125->116 127 7481b9-7481bb 125->127 127->89 128->129 134 748113 128->134 132 748133-7481f0 129->132 133 7480a8 129->133 140 7481f6 132->140 141 7480da-7480f1 132->141 138 7480aa-7480ad 133->138 134->99 135->117 139 748226 135->139 137->120 142 74808b 137->142 138->87 143 7480b3-748203 138->143 139->117 144 748228-7482ee call 745d90 139->144 140->141 146 7481fc 140->146 141->138 142->101 143->87 149 748209 143->149 154 7482f0 144->154 155 74830c-748320 call 745d90 call 74ec00 144->155 146->110 154->155 156 7482f2 154->156 158 7482f7-7482fc call 745d90 155->158 171 748322 155->171 156->158 165 748302 158->165 166 748253-748265 call 761280 158->166 165->166 169 748308-74830a 165->169 173 748328 166->173 174 74826b 166->174 169->155 171->158 172 748324-748326 171->172 172->173 178 748335 173->178 179 7482df-74832b 173->179 174->173 177 74823f-748243 174->177 177->158 183 748287 178->183 184 74829b-74829d 178->184 179->178 182 74832d-748331 179->182 182->178 183->184 186 74824e-748252 183->186 186->166
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1757447620.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_740000_AppVClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7d342092ad2f220efaa916aa9cfbfe4eab70e6cc09f0e9aaa0704db0697f7b76
                                                          • Instruction ID: edd1dcb9d41f26f29497ea1a9b782ef5580519140d855f781d593c00075f6c12
                                                          • Opcode Fuzzy Hash: 7d342092ad2f220efaa916aa9cfbfe4eab70e6cc09f0e9aaa0704db0697f7b76
                                                          • Instruction Fuzzy Hash: 38614430A1CA8DDFC7E98B28885833E7BA0FB56350F58461BE456C31A0DF6C9C499753
                                                          Function 00745B09 Relevance: 3.1, APIs: 2, Instructions: 60COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 187 745b09-745d01 192 745bb4-745ce4 CreateThread 187->192 193 745d07 187->193 200 745c01-745c05 CloseHandle 192->200 201 745cea 192->201 193->192 194 745d0d 193->194 196 745d37-745d41 194->196 198 745d43 196->198 199 745d4b-745d52 196->199 202 745d54 198->202 199->202 203 745d45-745d47 199->203 200->196 206 745c20-745c68 200->206 201->200 205 745cf0-745cf6 201->205 207 745d5f 203->207 208 745d49 203->208 205->206 210 745d65 207->210 208->199 208->207 210->210
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1757447620.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_740000_AppVClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                          • Instruction ID: 271d2ce957380dda59bec67b3401f78bfe59ce1ac95e2a301b3fd69d026ebc34
                                                          • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                          • Instruction Fuzzy Hash: 2D019270A0DF4B8FDB5956649C983797790EF51724F2501ABC487CA093DB6C4904EB62
                                                          Function 00745910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 211 745910-745968 213 745915-7459b8 call 779970 call 760df0 211->213 214 74596a 211->214 226 7459bd-7459c2 call 745d90 213->226 214->213 218 745931-75072c 214->218 221 750806-750809 218->221 222 750732-750738 218->222 231 75079d-7507a6 221->231 224 750800 222->224 225 75073e 222->225 224->221 230 7506b3-7506b7 224->230 225->224 228 750744-750774 225->228 233 7459c7-7459ce 226->233 237 7506d5-7506d9 228->237 238 75077a-75081c 228->238 230->231 234 7506bd 230->234 235 750791-750793 231->235 236 7507a8 231->236 239 7459d0 233->239 240 745a1a-745a26 call 745e10 233->240 234->231 241 7506c3-7507fe 234->241 242 7507ca-7507cc 235->242 236->235 243 7507aa 236->243 247 7506df 237->247 248 7506db 237->248 238->231 239->240 245 7459d2 239->245 264 745994-74599c 240->264 265 745a0d 240->265 241->224 243->242 250 7459d4-745a15 call 7611a0 245->250 247->231 248->247 251 7506dd 248->251 251->247 256 75c0cc 251->256 257 75c0ce-75c0d0 256->257 258 75c0e8-75c102 256->258 261 75c0d2-75c0df 257->261 258->261 263 75c104 258->263 272 75c0e7 261->272 263->261 263->272 270 745a02 264->270 271 74599e-7459f7 264->271 274 745991 265->274 275 745932 265->275 270->250 278 74597d 270->278 271->270 274->275 279 745993 274->279 277 7459e4-7459ec call 7721ac 275->277 284 745a62-745a6e 277->284 285 7459ed 277->285 278->250 281 74597f-745981 278->281 279->264 283 745983-745a38 281->283 283->264 290 745a3e call 772190 283->290 287 745a75-745ab3 call 761280 284->287 288 745a70 284->288 285->283 289 7459ee-7459ef 285->289 301 745ab5 287->301 302 745abb-745ac9 287->302 288->287 291 745a72 288->291 289->283 293 7459f1 289->293 290->264 303 7459e0 290->303 291->287 293->213 301->302 304 745ab7-745ab9 301->304 305 745af2-745af5 302->305 303->264 306 7459e2 303->306 304->302 310 745ad5 305->310 311 745adb-745adc 305->311 306->277 310->311 312 745ad7-745ad9 310->312 313 745a45-745a46 311->313 314 745ae2 311->314 312->311 314->313 315 745ae8 314->315 315->305
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1757447620.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_740000_AppVClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                          • Instruction ID: 0fe9b6eb2b55418477418947846d6440fb1d656ba8660a699a0b5f8191ae66f4
                                                          • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                          • Instruction Fuzzy Hash: 05F1072171CE488FC769972C58593B977D2FB99310F58469EE84FC3297DE6C9C0A8382
                                                          Function 00745B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 358 745b42-745b47 call 745d90 360 745b4c-745b52 358->360 362 745c42-745c62 call 761280 360->362 363 745b0d 360->363 378 745c14-745cc0 362->378 379 745c26 362->379 363->362 364 745b13 363->364 366 745c8f-745c96 364->366 368 745c98-745c9a 366->368 369 745c29 366->369 370 745c9c 368->370 371 745cc2-745cc9 call 7452a0 369->371 372 745c2f-745c36 369->372 381 745d0e-745d18 370->381 382 745bfa 370->382 387 745c69 371->387 388 745ccb 371->388 372->371 376 745c3c 372->376 376->358 378->371 379->378 386 745c28 379->386 383 745d54 381->383 384 745d1a 381->384 382->381 389 745c00 382->389 392 745d4b-745d52 384->392 386->369 390 745c6f 387->390 391 745b68-745d75 387->391 388->370 393 745ccd 388->393 389->378 390->391 394 745c75 390->394 392->383 395 745d45-745d47 392->395 393->370 396 745ccf-745ce4 CreateThread 393->396 394->366 398 745d5f 395->398 399 745d49 395->399 401 745c01-745c05 CloseHandle 396->401 402 745cea 396->402 403 745d65 398->403 399->392 399->398 406 745c20-745c68 401->406 407 745d37-745d41 401->407 402->401 405 745cf0-745cf6 402->405 403->403 405->406 407->392 408 745d43 407->408 408->383
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1757447620.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_740000_AppVClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                          • Instruction ID: b9e1a827931c49423f167866526495951bb338a658b94a098d50cf11fbce24c8
                                                          • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                          • Instruction Fuzzy Hash: 9221C13060CF46CFCB6A9B1884D877826E1EB55310F6902A69447CF1A3DB2C8C44D766
                                                          Function 00745B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 410 745b87-745b99 CreateThread 411 745b1c-745b3b 410->411 412 745cff-745d01 410->412 411->412 413 745bb4-745ce4 CreateThread 412->413 414 745d07 412->414 422 745c01-745c05 CloseHandle 413->422 423 745cea 413->423 414->413 415 745d0d 414->415 418 745d37-745d41 415->418 420 745d43 418->420 421 745d4b-745d52 418->421 424 745d54 420->424 421->424 425 745d45-745d47 421->425 422->418 428 745c20-745c68 422->428 423->422 427 745cf0-745cf6 423->427 429 745d5f 425->429 430 745d49 425->430 427->428 432 745d65 429->432 430->421 430->429 432->432
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1757447620.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_740000_AppVClient.jbxd
                                                          Similarity
                                                          • API ID: CreateThread
                                                          • String ID:
                                                          • API String ID: 2422867632-0
                                                          • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                          • Instruction ID: ee5750e280401015aff03cf7d77edd183640949b027053554f9b371af091fee3
                                                          • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                          • Instruction Fuzzy Hash: 24E0867061DB444FDB5A9B2458207293AE5EB88310F1501CEC44ADB1D2CF6D09058796
                                                          Function 0074599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 433 74599b-74599e 434 7459f7 433->434 435 7459b8 call 760df0 433->435 437 745a02 434->437 438 7459bd-7459c2 call 745d90 435->438 441 7459d4-745a15 call 7611a0 437->441 442 74597d 437->442 443 7459c7-7459ce 438->443 442->441 444 74597f-745981 442->444 447 7459d0 443->447 448 745a1a-745a26 call 745e10 443->448 449 745983-745a38 444->449 447->448 451 7459d2 447->451 455 745994-74599c 448->455 463 745a0d 448->463 449->455 456 745a3e call 772190 449->456 451->441 455->437 459 74599e 455->459 456->455 469 7459e0 456->469 459->434 467 745991 463->467 468 745932 463->468 467->468 471 745993 467->471 470 7459e4-7459ec call 7721ac 468->470 469->455 472 7459e2 469->472 475 745a62-745a6e 470->475 476 7459ed 470->476 471->455 472->470 477 745a75-745ab3 call 761280 475->477 478 745a70 475->478 476->449 479 7459ee-7459ef 476->479 489 745ab5 477->489 490 745abb-745ac9 477->490 478->477 480 745a72 478->480 479->449 482 7459f1 call 779970 479->482 480->477 482->435 489->490 491 745ab7-745ab9 489->491 492 745af2-745af5 490->492 491->490 496 745ad5 492->496 497 745adb-745adc 492->497 496->497 498 745ad7-745ad9 496->498 499 745a45-745a46 497->499 500 745ae2 497->500 498->497 500->499 501 745ae8 500->501 501->492
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1757447620.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_740000_AppVClient.jbxd
                                                          Similarity
                                                          • API ID: wcscpy
                                                          • String ID:
                                                          • API String ID: 1284135714-0
                                                          • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                          • Instruction ID: 25e524eef2f049243a6bc6c57955b5371f3f4b01e950ff796638d29be3fda127
                                                          • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                          • Instruction Fuzzy Hash: D601F970B1DE80CFD757971844492796A52FB95324F28865A908EC7193DB3CAD059742
                                                          Function 00745BE2 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 502 745be2-745be5 503 745be7-745ca3 502->503 504 745bfc-745c05 CloseHandle 502->504 507 745ca5 503->507 508 745ca8-745cb3 call 745e10 503->508 512 745d37-745d41 504->512 513 745c20-745c68 504->513 507->508 510 745ca7 507->510 520 745cb5 508->520 521 745d26 508->521 510->508 514 745d43 512->514 515 745d4b-745d52 512->515 518 745d54 514->518 515->518 519 745d45-745d47 515->519 522 745d5f 519->522 523 745d49 519->523 520->521 524 745cb7 520->524 525 745d27-745d2a call 745910 521->525 529 745d65 522->529 523->515 523->522 526 745d5b-745d5d 524->526 530 745d2e 525->530 526->522 529->529 530->526
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1757447620.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_740000_AppVClient.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                                          • Instruction ID: 0c4bc289346f69fe9cf18880fa60d62fc5dbacbf4d60bdd9143f61459a249abf
                                                          • Opcode Fuzzy Hash: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                                          • Instruction Fuzzy Hash: 67E0C271A48E1BCFEB55A618C8C937522C0DF2436032409618802C7113E71CCE05EF62
                                                          Function 00748090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 531 748090-748096 532 748184 531->532 533 74813c-7481a5 531->533 534 748186 CloseHandle 532->534 535 74818c-748192 532->535 546 7481a7 533->546 547 7481bd-7481ca 533->547 534->535 537 748194 535->537 538 748115-748118 535->538 537->538 539 74819a 537->539 541 7480a7 538->541 542 748119-74811a 538->542 539->533 542->541 543 74811c 542->543 545 74820f 543->545 548 748215-74821e 545->548 549 74808e-748096 545->549 552 7481d0 547->552 553 7480f3 547->553 548->549 556 748224 548->556 549->532 562 7480c3 552->562 563 7481fe-748201 GetTokenInformation 552->563 554 7480f5 553->554 555 74808c 553->555 554->555 565 748077 554->565 555->549 560 748226 556->560 561 7481d7-7481e6 call 77715c 556->561 560->561 566 748228-7482ee call 745d90 560->566 571 7480ca-74810f GetTokenInformation 561->571 580 748089 561->580 562->563 568 7480c9 562->568 563->545 578 7481b7 563->578 565->561 586 7482f0 566->586 587 74830c-748320 call 745d90 call 74ec00 566->587 568->571 582 748111 571->582 583 74812d 571->583 578->545 581 7481b9-7481bb 578->581 580->571 588 74808b 580->588 581->547 582->583 589 748113 582->589 584 748133-7481f0 583->584 585 7480a8 583->585 594 7481f6 584->594 595 7480da-7480f1 584->595 592 7480aa-7480ad 585->592 586->587 591 7482f2 586->591 596 7482f7-7482fc call 745d90 587->596 619 748322 587->619 588->555 589->538 591->596 598 748163-748170 call 777164 592->598 599 7480b3-748203 592->599 594->595 600 7481fc 594->600 595->592 611 748302 596->611 612 748253-748265 call 761280 596->612 598->534 613 748172 598->613 599->598 606 748209 599->606 600->563 611->612 617 748308-74830a 611->617 621 748328 612->621 622 74826b 612->622 613->535 617->587 619->596 620 748324-748326 619->620 620->621 626 748335 621->626 627 7482df-74832b 621->627 622->621 625 74823f-748243 622->625 625->596 631 748287 626->631 632 74829b-74829d 626->632 627->626 630 74832d-748331 627->630 630->626 631->632 634 74824e-748252 631->634 634->612
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1757447620.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_740000_AppVClient.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                          • Instruction ID: 1c620236f7afa898a2311e2828d6ba0e52a4e69d966ece51bf0e5f9c858c48e0
                                                          • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                          • Instruction Fuzzy Hash: 85C08C6012988E9766F902880C0B0BC26008206350B0C000F8C0380220DF0C8E031097
                                                          Function 0074817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 635 74817f 636 748184 635->636 637 748186 CloseHandle 636->637 638 74818c-748192 636->638 637->638 639 748194 638->639 640 748115-748118 638->640 639->640 641 74819a-7481a5 639->641 642 7480a7 640->642 643 748119-74811a 640->643 653 7481a7 641->653 654 7481bd-7481ca 641->654 643->642 644 74811c 643->644 646 74820f 644->646 648 748215-74821e 646->648 649 74808e-748096 646->649 648->649 655 748224 648->655 649->636 663 7481d0 654->663 664 7480f3 654->664 656 748226 655->656 657 7481d7-7481e6 call 77715c 655->657 656->657 660 748228-7482ee call 745d90 656->660 678 748089 657->678 679 7480ca-74810f GetTokenInformation 657->679 683 7482f0 660->683 684 74830c-748320 call 745d90 call 74ec00 660->684 674 7480c3 663->674 675 7481fe-748201 GetTokenInformation 663->675 666 7480f5 664->666 667 74808c 664->667 666->667 676 748077 666->676 667->649 674->675 680 7480c9 674->680 675->646 694 7481b7 675->694 676->657 678->679 685 74808b 678->685 688 748111 679->688 689 74812d 679->689 680->679 683->684 687 7482f2 683->687 693 7482f7-7482fc call 745d90 684->693 722 748322 684->722 685->667 687->693 688->689 695 748113 688->695 691 748133-7481f0 689->691 692 7480a8 689->692 702 7481f6 691->702 703 7480da-7480f1 691->703 700 7480aa-7480ad 692->700 710 748302 693->710 711 748253-748265 call 761280 693->711 694->646 699 7481b9-7481bb 694->699 695->640 699->654 705 748163-748170 call 777164 700->705 706 7480b3-748203 700->706 702->703 709 7481fc 702->709 703->700 705->637 721 748172 705->721 706->705 717 748209 706->717 709->675 710->711 718 748308-74830a 710->718 725 748328 711->725 726 74826b 711->726 718->684 721->638 722->693 723 748324-748326 722->723 723->725 730 748335 725->730 731 7482df-74832b 725->731 726->725 729 74823f-748243 726->729 729->693 735 748287 730->735 736 74829b-74829d 730->736 731->730 734 74832d-748331 731->734 734->730 735->736 738 74824e-748252 735->738 738->711
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1757447620.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_740000_AppVClient.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                          • Instruction ID: 91c88fc3c691033ef3256ef45287416b1d6c26a26006012414715a9997974a8e
                                                          • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                          • Instruction Fuzzy Hash: CCC092A459955D8765F926C86C0A0BD3550461B760F0C441FEC078A364DF5C8D5355E3

                                                          Non-executed Functions

                                                          Function 00772D40 Relevance: 1.8, APIs: 1, Instructions: 321COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1757447620.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_740000_AppVClient.jbxd
                                                          Similarity
                                                          • API ID: _clrfp
                                                          • String ID:
                                                          • API String ID: 3618594692-0
                                                          • Opcode ID: b2614b7e1b0189ae345bd4c1d95b1b808051b71dd771fb59e21b33d23e549fbc
                                                          • Instruction ID: 202c380ff976d82c8093dd964c76a611ca677573c2cd6192f127e088585ea60c
                                                          • Opcode Fuzzy Hash: b2614b7e1b0189ae345bd4c1d95b1b808051b71dd771fb59e21b33d23e549fbc
                                                          • Instruction Fuzzy Hash: EEB17731610A4D8FDF99CF1CC88AB6677E1FB59344F188599E86DCB262C339D852CB01
                                                          Function 0076EEB0 Relevance: .7, Instructions: 737COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1757447620.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_740000_AppVClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 33f1da026cedb8bb4c154c58f95936b4a0e13185094ee08358de1f6eed02a0cf
                                                          • Instruction ID: b04a225a507b0208e56e35ad32ebd9f3976dfd6c3da2e867c859da797ca29459
                                                          • Opcode Fuzzy Hash: 33f1da026cedb8bb4c154c58f95936b4a0e13185094ee08358de1f6eed02a0cf
                                                          • Instruction Fuzzy Hash: E6F19732668F1C079728EE9DAC8E2B573C2D3E4722F4A437F9845D3265ED75AC8185C2
                                                          Function 00747C00 Relevance: .4, Instructions: 370COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1757447620.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_740000_AppVClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 724192d415810ac4f34237431d09bd2ecc20d27c57fa4998346b62a5e3d6f42c
                                                          • Instruction ID: 412a0a0565a50eb62bef4f39f68555cf0ab78e9378ef7192756a62a2e0ce1701
                                                          • Opcode Fuzzy Hash: 724192d415810ac4f34237431d09bd2ecc20d27c57fa4998346b62a5e3d6f42c
                                                          • Instruction Fuzzy Hash: 0FC15A3242DB644AD32B9F7DA8812E6F3E4FFD9319F41872AD9C5A3060DB3854478286
                                                          Function 0076A810 Relevance: .3, Instructions: 257COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1757447620.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_740000_AppVClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4e6b58e5a89bf5cdf24951cf629520558a61642b70cf246aec3f524e75493717
                                                          • Instruction ID: 81878882f838a7c71bfcd71a9427000161ba3efb37b033e1f2411dee7fd754be
                                                          • Opcode Fuzzy Hash: 4e6b58e5a89bf5cdf24951cf629520558a61642b70cf246aec3f524e75493717
                                                          • Instruction Fuzzy Hash: 6061E531A293894B930DC91D9C864517B92EAA651937CC3ECCDD28F387E862F517C3D2
                                                          Function 007479F0 Relevance: .2, Instructions: 200COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1757447620.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_740000_AppVClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8e2da79344872b5643ce3899f66769d7448a497f841557188c4ca06468b0fd85
                                                          • Instruction ID: 4212e39da40d2b0ab0576ae031ff25e828e4fad6ebc4be31b040890a97bb70a7
                                                          • Opcode Fuzzy Hash: 8e2da79344872b5643ce3899f66769d7448a497f841557188c4ca06468b0fd85
                                                          • Instruction Fuzzy Hash: 8D515C90B1C7848FDB3E8B3C481427E2A91EB96364F6DC2DBE04AC2291DF2C4E41C356
                                                          Function 007693B0 Relevance: .2, Instructions: 188COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1757447620.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_740000_AppVClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f1cb0376d5f4543bb8137eeff6a4ca7b4a3039c8d8bd8826e253d9a000427cd9
                                                          • Instruction ID: dd5ab14a278209c2a8eb9a9065036ab52eaa82f327a7141319c9eec701cba398
                                                          • Opcode Fuzzy Hash: f1cb0376d5f4543bb8137eeff6a4ca7b4a3039c8d8bd8826e253d9a000427cd9
                                                          • Instruction Fuzzy Hash: 53510DB28183058F8308CF19C882126FBE5FB8A714B15855EE9D697212D731F9538FC2
                                                          Function 007692A0 Relevance: .1, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1757447620.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_740000_AppVClient.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0710a6d56e74f75e4f2d76c0792897e09a389baafeaf9ef38ca3dee3c678baf7
                                                          • Instruction ID: 95f53bcb3013ffc607570205fa4a55d7e593650cec09bf4caffca84637faaae4
                                                          • Opcode Fuzzy Hash: 0710a6d56e74f75e4f2d76c0792897e09a389baafeaf9ef38ca3dee3c678baf7
                                                          • Instruction Fuzzy Hash: C84182B69683048F830CDF14C883422B7E4FB8A719B25C56DD9D64B202DB31F953DAC2

                                                          Execution Graph

                                                          Execution Coverage:0.9%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:11%
                                                          Total number of Nodes:91
                                                          Total number of Limit Nodes:7
                                                          execution_graph 76858 2d1acb 76859 2d1ae0 76858->76859 76862 3000c3 76859->76862 76865 2fe703 76862->76865 76866 2fe729 76865->76866 76875 2d7683 76866->76875 76868 2fe73f 76874 2d1bdd 76868->76874 76878 2eb453 76868->76878 76870 2fe75e 76871 2fe773 76870->76871 76872 2fce53 ExitProcess 76870->76872 76889 2fce53 76871->76889 76872->76871 76892 2e67d3 76875->76892 76877 2d7690 76877->76868 76879 2eb47f 76878->76879 76916 2eb343 76879->76916 76882 2eb4ac 76884 2eb4b7 76882->76884 76922 2fca93 76882->76922 76883 2eb4c4 76885 2eb4e0 76883->76885 76887 2fca93 NtClose 76883->76887 76884->76870 76885->76870 76888 2eb4d6 76887->76888 76888->76870 76890 2fce6d 76889->76890 76891 2fce7e ExitProcess 76890->76891 76891->76874 76893 2e67f0 76892->76893 76895 2e6809 76893->76895 76896 2fd4f3 76893->76896 76895->76877 76898 2fd50d 76896->76898 76897 2fd53c 76897->76895 76898->76897 76903 2fc0d3 76898->76903 76904 2fc0ed 76903->76904 76910 2f72c0a 76904->76910 76905 2fc119 76907 2feb53 76905->76907 76913 2fce03 76907->76913 76909 2fd5af 76909->76895 76911 2f72c11 76910->76911 76912 2f72c1f LdrInitializeThunk 76910->76912 76911->76905 76912->76905 76914 2fce1d 76913->76914 76915 2fce2e RtlFreeHeap 76914->76915 76915->76909 76917 2eb35d 76916->76917 76921 2eb439 76916->76921 76925 2fc173 76917->76925 76920 2fca93 NtClose 76920->76921 76921->76882 76921->76883 76923 2fcaad 76922->76923 76924 2fcabe NtClose 76923->76924 76924->76884 76926 2fc190 76925->76926 76929 2f735c0 LdrInitializeThunk 76926->76929 76927 2eb42d 76927->76920 76929->76927 76939 2f72b60 LdrInitializeThunk 76940 2e3ff7 76941 2e4013 76940->76941 76943 2e407c 76941->76943 76945 2eb763 RtlFreeHeap LdrInitializeThunk 76941->76945 76944 2e4072 76945->76944 76930 2fc083 76931 2fc0a0 76930->76931 76934 2f72df0 LdrInitializeThunk 76931->76934 76932 2fc0c8 76934->76932 76946 2fec33 76949 2fcdb3 76946->76949 76948 2fec4e 76950 2fcdcd 76949->76950 76951 2fcdde RtlAllocateHeap 76950->76951 76951->76948 76952 2f5113 76955 2f512c 76952->76955 76953 2f5174 76954 2feb53 RtlFreeHeap 76953->76954 76956 2f5184 76954->76956 76955->76953 76957 2f51b7 76955->76957 76959 2f51bc 76955->76959 76958 2feb53 RtlFreeHeap 76957->76958 76958->76959 76960 2f4d73 76961 2f4d8f 76960->76961 76962 2f4dcb 76961->76962 76963 2f4db7 76961->76963 76965 2fca93 NtClose 76962->76965 76964 2fca93 NtClose 76963->76964 76966 2f4dc0 76964->76966 76967 2f4dd4 76965->76967 76970 2fec73 RtlAllocateHeap 76967->76970 76969 2f4ddf 76970->76969 76971 2ffc53 76972 2feb53 RtlFreeHeap 76971->76972 76973 2ffc68 76972->76973 76935 2e7b23 76936 2e7b47 76935->76936 76937 2e7b4e 76936->76937 76938 2e7b83 LdrLoadDll 76936->76938 76938->76937

                                                          Executed Functions

                                                          Function 002E7B23 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 43 2e7b23-2e7b4c call 2ff733 46 2e7b4e-2e7b51 43->46 47 2e7b52-2e7b60 call 2ffd33 43->47 50 2e7b62-2e7b6d call 2fffd3 47->50 51 2e7b70-2e7b81 call 2fe1d3 47->51 50->51 56 2e7b9a-2e7b9d 51->56 57 2e7b83-2e7b97 LdrLoadDll 51->57 57->56
                                                          APIs
                                                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 002E7B95
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2003602986.00000000002D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 002D0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2d0000_svchost.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Load
                                                          • String ID:
                                                          • API String ID: 2234796835-0
                                                          • Opcode ID: 2df5ad1a77759440835b44e0c81d592d2dcef492499a061f42018885d7945096
                                                          • Instruction ID: 23344d434bcd2457be04a585357057c06e5ae6a6550b60d12d8ebb8d7b9ea6f1
                                                          • Opcode Fuzzy Hash: 2df5ad1a77759440835b44e0c81d592d2dcef492499a061f42018885d7945096
                                                          • Instruction Fuzzy Hash: F3010CB5D5020EABDB10DAA5DD42FAEF3789B54308F0041A5EA18A7240F631EA258B91
                                                          Function 002FCA93 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 63 2fca93-2fcacc call 2d4a33 call 2fdce3 NtClose
                                                          APIs
                                                          • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 002FCAC7
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2003602986.00000000002D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 002D0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2d0000_svchost.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: cf2b45a22dd28b00f8020047974d71a9615bfe0208659e68875304388e63bb0d
                                                          • Instruction ID: ab0a323be8b38c6687118a5f0a189d70637542c1990232adcdc8f00f89d3cb50
                                                          • Opcode Fuzzy Hash: cf2b45a22dd28b00f8020047974d71a9615bfe0208659e68875304388e63bb0d
                                                          • Instruction Fuzzy Hash: D2E086712406057BD510FA69DC41FE7B75CDFC5711F004025FA18A7241C77079108BF0
                                                          Function 02F735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 79 2f735c0-2f735cc LdrInitializeThunk
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 9d2bcd9b88abda25324e0edd6ff924dd608e281e2d624ddd933cca78999155c8
                                                          • Instruction ID: beaba43f15038fe404dcefd8247ed03cd40434f147cb36a71058e707b6bc84a3
                                                          • Opcode Fuzzy Hash: 9d2bcd9b88abda25324e0edd6ff924dd608e281e2d624ddd933cca78999155c8
                                                          • Instruction Fuzzy Hash: FD90023160550812D20071588554707500687D0381FA5C411A142456CD87A58A5165A2
                                                          Function 02F72B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 77 2f72b60-2f72b6c LdrInitializeThunk
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 6d1a49e6fb1a0ff63c62624b3b9492c02b2f1feb30d19c74b6ff8a846dc3efe6
                                                          • Instruction ID: abecfa306faa3e29507cd3b0aa347f5075b0835d871d978d25eee6376dabb3ae
                                                          • Opcode Fuzzy Hash: 6d1a49e6fb1a0ff63c62624b3b9492c02b2f1feb30d19c74b6ff8a846dc3efe6
                                                          • Instruction Fuzzy Hash: A290026120240413420571588454617800B87E0381B95C021E2014594DC53589916125
                                                          Function 02F72DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 78 2f72df0-2f72dfc LdrInitializeThunk
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 8b5e68afd370d91e70774a66adf9ff5b14829121f8a7127d5fe667a6e79da49a
                                                          • Instruction ID: f8647b987277b5e1fe2c3cb6e3ce21ea601829a728dca3b6dee3092c34553caf
                                                          • Opcode Fuzzy Hash: 8b5e68afd370d91e70774a66adf9ff5b14829121f8a7127d5fe667a6e79da49a
                                                          • Instruction Fuzzy Hash: 9190023120140823D21171588544707400A87D03C1FD5C412A142455CD96668A52A121
                                                          Function 002FCE03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 2fce03-2fce44 call 2d4a33 call 2fdce3 RtlFreeHeap
                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 002FCE3F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2003602986.00000000002D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 002D0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2d0000_svchost.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID: ^h.
                                                          • API String ID: 3298025750-3901830856
                                                          • Opcode ID: 28ef2d6e509b58d6041715ca700afd5f36670ba15aff7ef934103d6af870da59
                                                          • Instruction ID: 4b81ec3507b5d366aed8d73c3f6039e063f2e3718d438324dd7df8f5260c3a1b
                                                          • Opcode Fuzzy Hash: 28ef2d6e509b58d6041715ca700afd5f36670ba15aff7ef934103d6af870da59
                                                          • Instruction Fuzzy Hash: B9E092B12042047BD610EE59EC41FEB77ADEFC9710F004019F948A7241D670BD20CBB4
                                                          Function 002FCDB3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 58 2fcdb3-2fcdf4 call 2d4a33 call 2fdce3 RtlAllocateHeap
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(?,002EE8FE,?,?,00000000,?,002EE8FE,?,?,?), ref: 002FCDEF
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2003602986.00000000002D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 002D0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2d0000_svchost.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 758e987ca8dc1407da8ea2d75dd6bb0baa15a4ae5a41ed448168bd99f93428ac
                                                          • Instruction ID: 3aede74581cd16f4efba9a66e980a59e170b69c5fd64dcf54dd54d9798a315c0
                                                          • Opcode Fuzzy Hash: 758e987ca8dc1407da8ea2d75dd6bb0baa15a4ae5a41ed448168bd99f93428ac
                                                          • Instruction Fuzzy Hash: FEE06DB12142087BD610EE98DC41FEB73ADEFC9710F000419F908A7242D670BD208BB4
                                                          Function 002FCE53 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 68 2fce53-2fce8c call 2d4a33 call 2fdce3 ExitProcess
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2003602986.00000000002D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 002D0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2d0000_svchost.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExitProcess
                                                          • String ID:
                                                          • API String ID: 621844428-0
                                                          • Opcode ID: 4a72a8c2f97c2ed90bbe4c78ab3260a7f6740fedc81c4197864b34bdc353a8b3
                                                          • Instruction ID: 25d86aca632d6233478074b43a4a983abcc3725eff86c6288a5c78af28206016
                                                          • Opcode Fuzzy Hash: 4a72a8c2f97c2ed90bbe4c78ab3260a7f6740fedc81c4197864b34bdc353a8b3
                                                          • Instruction Fuzzy Hash: 9EE04F752002147BD520FA69DC41FDBB76CDFC5760F004415FA08A7242C6B07911C7E0
                                                          Function 02F72C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 73 2f72c0a-2f72c0f 74 2f72c11-2f72c18 73->74 75 2f72c1f-2f72c26 LdrInitializeThunk 73->75
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 184bf865038148e07317c0bae3c7c7b5d2a4cdcee602ce85a4b9a5f63d8a32f0
                                                          • Instruction ID: 97d0cb01594f14322433170552f7ac355482eccf788d28f8b9e2194901ae3a93
                                                          • Opcode Fuzzy Hash: 184bf865038148e07317c0bae3c7c7b5d2a4cdcee602ce85a4b9a5f63d8a32f0
                                                          • Instruction Fuzzy Hash: E8B09B71D015C5D5DB11F7605A08717790567D0791F55C062D3030645E4738C1D1E175

                                                          Non-executed Functions

                                                          Function 02FB2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-2160512332
                                                          • Opcode ID: 437c35b5bdd5be92fc2f229b9aaf43e703a35ffdeca18698c12d948185aafa1e
                                                          • Instruction ID: d6a9da0c1f00ff80492fe26bb52d21d757a90ed930fe9f1001ac927457720835
                                                          • Opcode Fuzzy Hash: 437c35b5bdd5be92fc2f229b9aaf43e703a35ffdeca18698c12d948185aafa1e
                                                          • Instruction Fuzzy Hash: 8D928D71A04341ABE722DF26C880BABB7E9BF88794F14491DFB95D7250D770E844CB92
                                                          Function 02F68620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Critical section debug info address, xrefs: 02FA541F, 02FA552E
                                                          • Address of the debug info found in the active list., xrefs: 02FA54AE, 02FA54FA
                                                          • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02FA540A, 02FA5496, 02FA5519
                                                          • Critical section address, xrefs: 02FA5425, 02FA54BC, 02FA5534
                                                          • double initialized or corrupted critical section, xrefs: 02FA5508
                                                          • Invalid debug info address of this critical section, xrefs: 02FA54B6
                                                          • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02FA54E2
                                                          • Thread is in a state in which it cannot own a critical section, xrefs: 02FA5543
                                                          • Thread identifier, xrefs: 02FA553A
                                                          • corrupted critical section, xrefs: 02FA54C2
                                                          • 8, xrefs: 02FA52E3
                                                          • undeleted critical section in freed memory, xrefs: 02FA542B
                                                          • Critical section address., xrefs: 02FA5502
                                                          • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02FA54CE
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                          • API String ID: 0-2368682639
                                                          • Opcode ID: 17f6ea446a3f0db89406f0c54647d1b040dc70c0ee9f22ac26928c0111c7c3f8
                                                          • Instruction ID: b78f64a06e516b1b340961b014953f60020cedd0ac94aa48a1eb619f781d26b7
                                                          • Opcode Fuzzy Hash: 17f6ea446a3f0db89406f0c54647d1b040dc70c0ee9f22ac26928c0111c7c3f8
                                                          • Instruction Fuzzy Hash: 5F81ACB1E00358AFFB20CF94C945BAEBBB6EB48794FA44119E605B7640C375A944CF60
                                                          Function 02FE12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                          • API String ID: 0-3591852110
                                                          • Opcode ID: 13fcea9ee62afc4bfa9bdd5631ab78a58adcf1bc4a2082bdc01f315687d27b31
                                                          • Instruction ID: 4d0146425bd81bde0eefc854cbf60fb679ceecf8b4d1d3a261bca2c1ff19c1b4
                                                          • Opcode Fuzzy Hash: 13fcea9ee62afc4bfa9bdd5631ab78a58adcf1bc4a2082bdc01f315687d27b31
                                                          • Instruction Fuzzy Hash: 3812BE71A00645DFDB268F2AC441BBBB7E2FF09788F148459E69B8B641D734EC84CB50
                                                          Function 02F2D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                          • API String ID: 0-3532704233
                                                          • Opcode ID: 4fc52f30a749ff3081eb146c1429674c1701a8033aebe892267a1aa387cf4949
                                                          • Instruction ID: 19fd0e2a35c82342fcc592fa0146fd6b43fe9ade9994f9f9938adb015e6e1c2d
                                                          • Opcode Fuzzy Hash: 4fc52f30a749ff3081eb146c1429674c1701a8033aebe892267a1aa387cf4949
                                                          • Instruction Fuzzy Hash: 4FB17D729083659FC715DF24C880B6BBBE9EB85798F01492EFA89D7240D770D948CF92
                                                          Function 02FC9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                          • API String ID: 0-3063724069
                                                          • Opcode ID: b1ebce9907bf4b7f9434f25621c6b270cf4739d19199c81c8ca63350021bdfae
                                                          • Instruction ID: b1aa3fc1eecd4cdc41d2b7343ab9f5b8fd01cebf4fa67ba8c69ebe580878dd38
                                                          • Opcode Fuzzy Hash: b1ebce9907bf4b7f9434f25621c6b270cf4739d19199c81c8ca63350021bdfae
                                                          • Instruction Fuzzy Hash: 8CD10472804392ABD721EA64CD40B7BB7E8AF84794F50496DFB84A7290D7B0D9448FD2
                                                          Function 02FE0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                          • API String ID: 0-1700792311
                                                          • Opcode ID: fb8a0e1a14073fb699d5422603a19c2e3c18917ee05f5d479889c12c019d8e92
                                                          • Instruction ID: 9c1dcaf8339107a60d5b40647001457c6fad14680c4c91e96c32b65381df4f12
                                                          • Opcode Fuzzy Hash: fb8a0e1a14073fb699d5422603a19c2e3c18917ee05f5d479889c12c019d8e92
                                                          • Instruction Fuzzy Hash: 0FD1BF71A00655DFDF22DF68C850AA9BBF2FF4A784F08805DE646AB251CBB4D945CF10
                                                          Function 02F2D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 02F2D2C3
                                                          • @, xrefs: 02F2D313
                                                          • @, xrefs: 02F2D2AF
                                                          • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 02F2D0CF
                                                          • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 02F2D146
                                                          • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 02F2D262
                                                          • @, xrefs: 02F2D0FD
                                                          • Control Panel\Desktop\LanguageConfiguration, xrefs: 02F2D196
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                          • API String ID: 0-1356375266
                                                          • Opcode ID: 4c0f6a955b57945fb414cde1a61385c430fdbdd770a6da6e60d98f36936ff3e9
                                                          • Instruction ID: d4b18d549a6f775ccd11c0d9a317cca3005605f8ea3f44d588e91586b652ba5f
                                                          • Opcode Fuzzy Hash: 4c0f6a955b57945fb414cde1a61385c430fdbdd770a6da6e60d98f36936ff3e9
                                                          • Instruction Fuzzy Hash: DEA15D719083559FE721DF24C884B5BB7E9FB89799F00492EEB8896280D774D908CF92
                                                          Function 02F2F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                          • API String ID: 0-523794902
                                                          • Opcode ID: c6ee9e2a0c9c2a4194dfd2ab389b89e466de84897c29f996a511cf7cd5eaf9aa
                                                          • Instruction ID: 95170a41742882707e7eb9b4af44c3d29c381c5cb8239f5dbb1edb190af801f4
                                                          • Opcode Fuzzy Hash: c6ee9e2a0c9c2a4194dfd2ab389b89e466de84897c29f996a511cf7cd5eaf9aa
                                                          • Instruction Fuzzy Hash: 7842F1316143418FD715DF28C980B2ABBE5FF86388F14466DFA868B791DB34D849CB52
                                                          Function 02F4B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                          • API String ID: 0-122214566
                                                          • Opcode ID: b4122c37c9866cfc5df979bc5b1dd553829c0686879c3e4ea25b7dbe351407d7
                                                          • Instruction ID: 3a6ce8d51d1e40ea2638e6a36bb5ad3a9c5b73a7372f9b8f62345a187a8ce99a
                                                          • Opcode Fuzzy Hash: b4122c37c9866cfc5df979bc5b1dd553829c0686879c3e4ea25b7dbe351407d7
                                                          • Instruction Fuzzy Hash: FCC11731F002159BEF259F69CC80B7EBB65AF467CCF144069EB069B292DBB4D944C790
                                                          Function 02F663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-792281065
                                                          • Opcode ID: 9c7dd895f3a8df88c30b38dc20d641b27faa072ad062495ec57fc1ecbfa220d9
                                                          • Instruction ID: 8993fe33bc3279fb3125af736c6877fc23410cfbf15b4951d61e4aa521628c74
                                                          • Opcode Fuzzy Hash: 9c7dd895f3a8df88c30b38dc20d641b27faa072ad062495ec57fc1ecbfa220d9
                                                          • Instruction Fuzzy Hash: 77914771F013149BEB35EF54DD58BBA7BA5EF41BD8F100169EB01ABA84D7B89801CB90
                                                          Function 02F6C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Unable to build import redirection Table, Status = 0x%x, xrefs: 02FA81E5
                                                          • LdrpInitializeImportRedirection, xrefs: 02FA8177, 02FA81EB
                                                          • Loading import redirection DLL: '%wZ', xrefs: 02FA8170
                                                          • LdrpInitializeProcess, xrefs: 02F6C6C4
                                                          • minkernel\ntdll\ldrredirect.c, xrefs: 02FA8181, 02FA81F5
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 02F6C6C3
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                          • API String ID: 0-475462383
                                                          • Opcode ID: 2a2648b6072d34db08f862e1d07ccf8b1922c07cb772a3cd96acedfbae9d1507
                                                          • Instruction ID: 166404205d37d4f4795aba0a7963bcab060b13c2dfdeb999ff238fab743486b6
                                                          • Opcode Fuzzy Hash: 2a2648b6072d34db08f862e1d07ccf8b1922c07cb772a3cd96acedfbae9d1507
                                                          • Instruction Fuzzy Hash: 913108B17443519BD220EF28DD45E2BB795EF84B94F000568FB856B291D664EC04CFA2
                                                          Function 02F62674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 02FA21BF
                                                          • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 02FA219F
                                                          • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 02FA2180
                                                          • RtlGetAssemblyStorageRoot, xrefs: 02FA2160, 02FA219A, 02FA21BA
                                                          • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 02FA2178
                                                          • SXS: %s() passed the empty activation context, xrefs: 02FA2165
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                          • API String ID: 0-861424205
                                                          • Opcode ID: 9b4b5064ecf10eed8553c7eadddded681dedfab630de025d50dfff5ba9dcb52d
                                                          • Instruction ID: 2189ce5a62521e3ff2934dcb34a57e4a5a856c7afa3ba7086befef2fdf2706b5
                                                          • Opcode Fuzzy Hash: 9b4b5064ecf10eed8553c7eadddded681dedfab630de025d50dfff5ba9dcb52d
                                                          • Instruction Fuzzy Hash: FD31D276F40214A7F7219A998C95F6AB769DF94AD4F054069BF09A7140D370DE00C6E1
                                                          Function 02F551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • WindowsExcludedProcs, xrefs: 02F5522A
                                                          • Kernel-MUI-Language-Allowed, xrefs: 02F5527B
                                                          • Kernel-MUI-Language-SKU, xrefs: 02F5542B
                                                          • Kernel-MUI-Language-Disallowed, xrefs: 02F55352
                                                          • Kernel-MUI-Number-Allowed, xrefs: 02F55247
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                          • API String ID: 0-258546922
                                                          • Opcode ID: 6f04a83137a79b3bb6a70795adebaa303df32ca63c9fcdf9b77592f41e5a6da2
                                                          • Instruction ID: 46f65e18556bbcad2e90f21d2caaf7c5f11ec495b51d48fb2c03cc06da3e921f
                                                          • Opcode Fuzzy Hash: 6f04a83137a79b3bb6a70795adebaa303df32ca63c9fcdf9b77592f41e5a6da2
                                                          • Instruction Fuzzy Hash: 43F13B72D10229EBDF15DF94D980A9EBBB9FF48794F55005AEB01A7250DB709E01CF90
                                                          Function 02F5D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-1975516107
                                                          • Opcode ID: d534458abac24937a76b9cdfd864068668d17611aedc8f16952ccc3ea26e64ec
                                                          • Instruction ID: eacb7a05a0121d7e499d10ce715cc889093a8c6cf4428299d87afef115d8a80d
                                                          • Opcode Fuzzy Hash: d534458abac24937a76b9cdfd864068668d17611aedc8f16952ccc3ea26e64ec
                                                          • Instruction Fuzzy Hash: C151F371E023559FDB24EFA4C884B9DBBB2BF45798F244159DF016B285D778A881CF80
                                                          Function 02F276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                          • API String ID: 0-3061284088
                                                          • Opcode ID: 341383ba05a020c2ebd159caf31e16b353d8300f9bb8a2a5638c4b99ce5fbbba
                                                          • Instruction ID: 430611584313a0824409ecb3309136f76d399b1d9980419c415befe6864ed045
                                                          • Opcode Fuzzy Hash: 341383ba05a020c2ebd159caf31e16b353d8300f9bb8a2a5638c4b99ce5fbbba
                                                          • Instruction Fuzzy Hash: 25014C322052A0DEF325B318D859F56FBD4EB43FF8F244049E61197591CBE8EC88DA21
                                                          Function 02F470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                          • API String ID: 0-3178619729
                                                          • Opcode ID: eb95f6172bc99b7c36264c3a131c97dea1c7ed00dc6ecc63e947b47143b0f5dd
                                                          • Instruction ID: 30e3f5552995a78c4b75f2f0d8b889f01540999a52f95e2d35b909255e66f5df
                                                          • Opcode Fuzzy Hash: eb95f6172bc99b7c36264c3a131c97dea1c7ed00dc6ecc63e947b47143b0f5dd
                                                          • Instruction Fuzzy Hash: D113AF70E00655CFDB24DF68C890BA9FBF1BF49384F1481A9DA45AB381DBB4A945CF90
                                                          Function 02F41070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                          • API String ID: 0-3570731704
                                                          • Opcode ID: 0fc7c419fc2275868e7550f7395d28672a20f32ce1b360c5fa297cbd678e9afe
                                                          • Instruction ID: c1f9235e570ef55a778a7e9fe31b9e5b5b7560e2360a641b6f17e76fb1da1bf7
                                                          • Opcode Fuzzy Hash: 0fc7c419fc2275868e7550f7395d28672a20f32ce1b360c5fa297cbd678e9afe
                                                          • Instruction Fuzzy Hash: A3923A71E01228CFEB25CF14CC40BAABBB6AF45394F1581EADA4DA7250DB749E84CF51
                                                          Function 02F3A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                          • API String ID: 0-379654539
                                                          • Opcode ID: 725f774b71451e191cf1ed864de285ffec4f866189c09353c59969a79c353560
                                                          • Instruction ID: 0ba26da1d9e1590cafd739acd38a6d616778be7249e3426970cb8578608fd3f0
                                                          • Opcode Fuzzy Hash: 725f774b71451e191cf1ed864de285ffec4f866189c09353c59969a79c353560
                                                          • Instruction Fuzzy Hash: 57C1AC72608382DFD712CF1AC544B6AB7E4BF84798F00496AFAD68B350E734C949CB52
                                                          Function 02F6273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • .Local, xrefs: 02F628D8
                                                          • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 02FA21D9, 02FA22B1
                                                          • SXS: %s() passed the empty activation context, xrefs: 02FA21DE
                                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 02FA22B6
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                          • API String ID: 0-1239276146
                                                          • Opcode ID: 7e351de37fca3e5e66b46bd562311839d88d4a5bbe7bb68276182bbe0c4cccc8
                                                          • Instruction ID: 9012e15d12f271efed9938946aff0c1ac9f668151e9c5fd149db5c9e54ea4d20
                                                          • Opcode Fuzzy Hash: 7e351de37fca3e5e66b46bd562311839d88d4a5bbe7bb68276182bbe0c4cccc8
                                                          • Instruction Fuzzy Hash: 37A19D71E002299BDB24DF64DC98BA9B3B5FF58398F1441EADE48A7250D7309E80CF90
                                                          Function 02F2F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                          • API String ID: 0-2586055223
                                                          • Opcode ID: b6ef52b1c8149c144070b14922a72ab81852a9438c9bbad6dbb3cc2958d2e661
                                                          • Instruction ID: a60e8d2a3bb0a8980b4655411a812a35451fcbcef0fde6233f9d1727214d2d57
                                                          • Opcode Fuzzy Hash: b6ef52b1c8149c144070b14922a72ab81852a9438c9bbad6dbb3cc2958d2e661
                                                          • Instruction Fuzzy Hash: 7C612072204284AFE721EB28CD54F67BBF9EF85794F140568FB558B691C734E804CB62
                                                          Function 02FE11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                          • API String ID: 0-336120773
                                                          • Opcode ID: 5e6e090f8d023de6d7255477ade647d0a0b106c24e5ce1f5488ab53f986020df
                                                          • Instruction ID: ac269fa894ccc228ad20eea04fd211d3821c05333d77fdc1049fd70f7e9ea3e4
                                                          • Opcode Fuzzy Hash: 5e6e090f8d023de6d7255477ade647d0a0b106c24e5ce1f5488ab53f986020df
                                                          • Instruction Fuzzy Hash: 5A31AB32600114EFEB12DB99CC85FA773E9EF097E8F144059EA0ADB290D670ED44DE66
                                                          Function 02F29148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                          • API String ID: 0-1391187441
                                                          • Opcode ID: 70972a6d8696fe39ce041fc529d0f92bcd18e331251f90d0de8281a21b45f8aa
                                                          • Instruction ID: b6494b9e82cc4eda64860cfe20a882c7cf4c4817be5a10cbcd002f3faa11ff84
                                                          • Opcode Fuzzy Hash: 70972a6d8696fe39ce041fc529d0f92bcd18e331251f90d0de8281a21b45f8aa
                                                          • Instruction Fuzzy Hash: FD31C632A00124EFEB11EB45CC85F9AB7B9EF467E8F244051EE15A7290D7B0ED44CE61
                                                          Function 02F40770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                          • API String ID: 0-4253913091
                                                          • Opcode ID: e9d75e1e7d2ca4fff55263c89b417b9dc10defb9ce22503dff38aea36ee1e15c
                                                          • Instruction ID: 484a159e1e636d2dd17012a3b171f3cef553fce2e45cf030070b036efe793109
                                                          • Opcode Fuzzy Hash: e9d75e1e7d2ca4fff55263c89b417b9dc10defb9ce22503dff38aea36ee1e15c
                                                          • Instruction Fuzzy Hash: 0DF19931B00605DFEB19CF68C990B6ABBB5FF44384F1441A9E6169B391DB74E981CF90
                                                          Function 02F3B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                          • API String ID: 0-1145731471
                                                          • Opcode ID: f3ac7ba8496b6319ebe665582056d6cc17c684899a9915abfad72850ac159c45
                                                          • Instruction ID: a3cdd4402a11690d9a91ee28f6c7f3d18d197ccf8344c066617b8a24598ff730
                                                          • Opcode Fuzzy Hash: f3ac7ba8496b6319ebe665582056d6cc17c684899a9915abfad72850ac159c45
                                                          • Instruction Fuzzy Hash: C0B1AD72E056088FEF26CF59C990FADB7B6EF44398F144569EA51EB280D730E840CB00
                                                          Function 02FB368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                          • API String ID: 0-2391371766
                                                          • Opcode ID: 0b4e0b12a20ec3b8061a9cb574b9cde759273f3283cc750cb9ed6cf647d541ce
                                                          • Instruction ID: 414a29d4ca1dd063a1a58a588a3bf7dc8024346768b4fc04504134d9877469f6
                                                          • Opcode Fuzzy Hash: 0b4e0b12a20ec3b8061a9cb574b9cde759273f3283cc750cb9ed6cf647d541ce
                                                          • Instruction Fuzzy Hash: A2B1C172A44345AFE722DE56CC80FABB7E9EF45794F11096AFB4097280C775E804CB92
                                                          Function 02F2A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: FilterFullPath$UseFilter$\??\
                                                          • API String ID: 0-2779062949
                                                          • Opcode ID: c32f9a988065948e654dd424284b7aa101b4307c9e6d3ae604ec6e05767bb7fa
                                                          • Instruction ID: 1958c3bfb66959d5f9f647e7df55495a2a46c0d08e863e6496d5c6c720d9c83f
                                                          • Opcode Fuzzy Hash: c32f9a988065948e654dd424284b7aa101b4307c9e6d3ae604ec6e05767bb7fa
                                                          • Instruction Fuzzy Hash: 64A17D71D016299BDB31EF64CC88BAAF7B9EF44744F1001EAEA09A7250D7359E85CF60
                                                          Function 02FC36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                          • API String ID: 0-318774311
                                                          • Opcode ID: b372a788e8fc79aafe75cf5242b73ef3c8090e52c0d61c5d0fba45c8b677d180
                                                          • Instruction ID: 81a4594c3c1ff7cd83e4cc83f39296257c026f90a59ec9aa2e639a2769792798
                                                          • Opcode Fuzzy Hash: b372a788e8fc79aafe75cf5242b73ef3c8090e52c0d61c5d0fba45c8b677d180
                                                          • Instruction Fuzzy Hash: 7181AC71A08346AFD3119B14CA44F6AB7E9EF847C4F2489ADFE8197390D774D904CB52
                                                          Function 02F6909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %$&$@
                                                          • API String ID: 0-1537733988
                                                          • Opcode ID: bbf334ff7ba6fba878b38553385942be3872a37898b2f906d7ec89968e34b8a5
                                                          • Instruction ID: 216a66bbff7a475f971db9d2ba3b2696a6ac822e05d5b1165974975395abb7a8
                                                          • Opcode Fuzzy Hash: bbf334ff7ba6fba878b38553385942be3872a37898b2f906d7ec89968e34b8a5
                                                          • Instruction Fuzzy Hash: 2971E471A093019FD710DF24C988A3BBBE6FF84798F60491EE6A687250C770D805CF52
                                                          Function 0300B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0300B82A
                                                          • TargetNtPath, xrefs: 0300B82F
                                                          • GlobalizationUserSettings, xrefs: 0300B834
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                          • API String ID: 0-505981995
                                                          • Opcode ID: 9e01031dbbec496ad25cbc69303846d0b0d03c51665ca5d7334b0b97d94e4be4
                                                          • Instruction ID: 0a0364e79818e7ec3d7397236ac91a3ae41617b34c33ffd2378e9ae933d07dd9
                                                          • Opcode Fuzzy Hash: 9e01031dbbec496ad25cbc69303846d0b0d03c51665ca5d7334b0b97d94e4be4
                                                          • Instruction Fuzzy Hash: BD614F72D42229ABEB21DF54DC88BDAF7B9AF14750F0101E5A609A7290DB74DE84CF90
                                                          Function 02F2F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 02F8E6C6
                                                          • HEAP: , xrefs: 02F8E6B3
                                                          • HEAP[%wZ]: , xrefs: 02F8E6A6
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                          • API String ID: 0-1340214556
                                                          • Opcode ID: 003fa7611a7caebfb8f65c000fe12188014aa06a403b269ca497a4ecfdc8ce6b
                                                          • Instruction ID: 9ce0abc9846b9a46e13acad0a969c563d6b4832c3b9a3002bdcc638549e73ff7
                                                          • Opcode Fuzzy Hash: 003fa7611a7caebfb8f65c000fe12188014aa06a403b269ca497a4ecfdc8ce6b
                                                          • Instruction Fuzzy Hash: EA51E331610654EFE722EB68C994FA6FBF9FF06384F1401A4E7419BA92D774E904CB11
                                                          Function 02F6C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 02FA82E8
                                                          • Failed to reallocate the system dirs string !, xrefs: 02FA82D7
                                                          • LdrpInitializePerUserWindowsDirectory, xrefs: 02FA82DE
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-1783798831
                                                          • Opcode ID: fe6fd8bc674ce151de1b8203d31ae2db4a8be1848d2e871ab9075f46addb2da7
                                                          • Instruction ID: e2e7385d576d6f0ac2be360728e493acc51ea2964f265f4e0185690c22303b62
                                                          • Opcode Fuzzy Hash: fe6fd8bc674ce151de1b8203d31ae2db4a8be1848d2e871ab9075f46addb2da7
                                                          • Instruction Fuzzy Hash: 4D41A471945318ABD720EB64DC48B6B77E9EF447D0F10452AFB89D7250EBB4E804CB91
                                                          Function 02F616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • minkernel\ntdll\ldrtls.c, xrefs: 02FA1B4A
                                                          • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 02FA1B39
                                                          • LdrpAllocateTls, xrefs: 02FA1B40
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                          • API String ID: 0-4274184382
                                                          • Opcode ID: bfc485b1e5fb426d2688f1d2240d68286b9c25d9205f803fab2cdd7d8fe547d9
                                                          • Instruction ID: 02907eda185c5254d189c8b2453cf62fc16123623963994f086cc119d1ee3a44
                                                          • Opcode Fuzzy Hash: bfc485b1e5fb426d2688f1d2240d68286b9c25d9205f803fab2cdd7d8fe547d9
                                                          • Instruction Fuzzy Hash: 09416AB5A01608AFDB15DFA8CC51BAEBBF6FF48794F144159E60AA7250D774A800CFA0
                                                          Function 02FEC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 02FEC1C5
                                                          • @, xrefs: 02FEC1F1
                                                          • PreferredUILanguages, xrefs: 02FEC212
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                          • API String ID: 0-2968386058
                                                          • Opcode ID: 4014afaa5457e73d4326c5b488c4b3c481b87ffefc3fd1da873a8fdea8c857a7
                                                          • Instruction ID: a3c5d02b082271866695e8c921aebc170b063d87bc7d1769813cd431fadce4eb
                                                          • Opcode Fuzzy Hash: 4014afaa5457e73d4326c5b488c4b3c481b87ffefc3fd1da873a8fdea8c857a7
                                                          • Instruction Fuzzy Hash: 62413172E00219ABDF11DED4C891BEEB7B9AB14B84F14416BEB06B7280D7749A44CB50
                                                          Function 02FC4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                          • API String ID: 0-1373925480
                                                          • Opcode ID: 37962e4731ff5813eedbb1736223b1c455912f4185cb838cbe243105b8eb840e
                                                          • Instruction ID: 068f37f9c9fe23710dc2130c8ac5431af176335d097d1a2f78b28a9f9ccea024
                                                          • Opcode Fuzzy Hash: 37962e4731ff5813eedbb1736223b1c455912f4185cb838cbe243105b8eb840e
                                                          • Instruction Fuzzy Hash: 7641D072A002598BEB26DBA4CE54BEDBBB5EF55384F24049EDA41FB781DB748901CB10
                                                          Function 02FB4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 02FB4888
                                                          • minkernel\ntdll\ldrredirect.c, xrefs: 02FB4899
                                                          • LdrpCheckRedirection, xrefs: 02FB488F
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                          • API String ID: 0-3154609507
                                                          • Opcode ID: f64feaf9ce9969dd4b2763bc820a47898eea2d507d043ff4bc3f1a1a9ad60ac1
                                                          • Instruction ID: b8ad5a4bd86b4e562cad4d3b232fa92b04c97edd6e477612a414f28079c37e05
                                                          • Opcode Fuzzy Hash: f64feaf9ce9969dd4b2763bc820a47898eea2d507d043ff4bc3f1a1a9ad60ac1
                                                          • Instruction Fuzzy Hash: 0A410632B016949FCF22DE1ADA60EA7B7E4AF497D0F150259EE49D7752D330D800CB91
                                                          Function 02F633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Actx , xrefs: 02F633AC
                                                          • SXS: %s() passed the empty activation context data, xrefs: 02FA29FE
                                                          • RtlCreateActivationContext, xrefs: 02FA29F9
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                          • API String ID: 0-859632880
                                                          • Opcode ID: 07602ef8c6bf8de6d92620c9a473f005e3706a4efdb7488f99f2dfcbfa1f5bac
                                                          • Instruction ID: d89d668973b75fbc42d8d8e7c2a0ae3ca890c8f465598b0dcc86de226f0bb89d
                                                          • Opcode Fuzzy Hash: 07602ef8c6bf8de6d92620c9a473f005e3706a4efdb7488f99f2dfcbfa1f5bac
                                                          • Instruction Fuzzy Hash: 683146326003059FEB26DE58CC94BA6B7A5FF44B94F1544A9FF069F686CB70D841CB90
                                                          Function 02F61607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • minkernel\ntdll\ldrtls.c, xrefs: 02FA1A51
                                                          • LdrpInitializeTls, xrefs: 02FA1A47
                                                          • DLL "%wZ" has TLS information at %p, xrefs: 02FA1A40
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                          • API String ID: 0-931879808
                                                          • Opcode ID: 847417a80ce4d89623ae1a2d61c7b2fe626b888472c80342f32a4f62c00be5d2
                                                          • Instruction ID: 99733c9fea443ad7164bcde4ab9fb56bc93b3275069ec0499693cecbad0c0422
                                                          • Opcode Fuzzy Hash: 847417a80ce4d89623ae1a2d61c7b2fe626b888472c80342f32a4f62c00be5d2
                                                          • Instruction Fuzzy Hash: 7B31F876A01200AFE7209B58CC49F7BB7B9FB557D4F250159E709A7280E774AD048F94
                                                          Function 02F71270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 02F7127B
                                                          • @, xrefs: 02F712A5
                                                          • BuildLabEx, xrefs: 02F7130F
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                          • API String ID: 0-3051831665
                                                          • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                          • Instruction ID: e7f1c65e2ac0c893d8cbed8f8b5020f02a71740a199711fe59071d9a8e49d2c5
                                                          • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                          • Instruction Fuzzy Hash: 96318F72A00519ABDF11AFA5CC44EAFBBBEEB84794F004066EB14A71A0D770DA05CB60
                                                          Function 02FB20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 02FB2104
                                                          • Process initialization failed with status 0x%08lx, xrefs: 02FB20F3
                                                          • LdrpInitializationFailure, xrefs: 02FB20FA
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-2986994758
                                                          • Opcode ID: 0bb3ebc0fe8e529ca32b59a737093dd099cffa934b596125e9f33be598be8cba
                                                          • Instruction ID: 61a82ffdcb15a9fd5c4206af214e76496db5581715e18f4e95da52383ed93042
                                                          • Opcode Fuzzy Hash: 0bb3ebc0fe8e529ca32b59a737093dd099cffa934b596125e9f33be598be8cba
                                                          • Instruction Fuzzy Hash: F2F0C275A41218ABFB24E64DDC52FDA3769EF40BD4F50006AFB017B685D6B4A900CE91
                                                          Function 02F403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: #%u
                                                          • API String ID: 48624451-232158463
                                                          • Opcode ID: 7144864c3a51b5bf0ef8d000a88a3eeeb7727afd387c6a3a03b45fb79ddcedff
                                                          • Instruction ID: 1535730bf643b885f111de85902c7eebf24187770f4e0de71cf0338cae801218
                                                          • Opcode Fuzzy Hash: 7144864c3a51b5bf0ef8d000a88a3eeeb7727afd387c6a3a03b45fb79ddcedff
                                                          • Instruction Fuzzy Hash: 0E713C71E0014A9FDB05DF98C990BAEBBF9AF08784F144069EA05E7251EB74ED41CB61
                                                          Function 02FD705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID: kLsE
                                                          • API String ID: 3446177414-3058123920
                                                          • Opcode ID: 9c434bdf9c848bdf357f0de5e24179a5fa7edfc7c411caade2e1359e068ebbe2
                                                          • Instruction ID: b8e4bfe7c48eee5fe3107dd553b606da11365445165413a3665de8124a6a0eb6
                                                          • Opcode Fuzzy Hash: 9c434bdf9c848bdf357f0de5e24179a5fa7edfc7c411caade2e1359e068ebbe2
                                                          • Instruction Fuzzy Hash: 24414B3190335947E731BB65EC48B6ABB96AB10BE8F380219EF505F1C9CBB94485CF90
                                                          Function 02F452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$@
                                                          • API String ID: 0-149943524
                                                          • Opcode ID: 9696411a808d418fd599a454e9f45a17f327d4083b94e1cab4902050202ce3b3
                                                          • Instruction ID: 09e47399ba10b6e89ef6aca7144707d65e601a7d0969321845872d4496cb8445
                                                          • Opcode Fuzzy Hash: 9696411a808d418fd599a454e9f45a17f327d4083b94e1cab4902050202ce3b3
                                                          • Instruction Fuzzy Hash: 6E32D371A083118BDB24EF15C490B3FBBE5EF94788F94491EFA8597290EBB4D844CB52
                                                          Function 02FFA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `$`
                                                          • API String ID: 0-197956300
                                                          • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                          • Instruction ID: b0d463210bc01e4a66d60eb971cf7440bc5ab0e187156b185174a7fbf9909a03
                                                          • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                          • Instruction Fuzzy Hash: DCC1D0326043469BD765CF28C840B2BBBE6BF84798F084A2DFB99CA2A0D775D505CF51
                                                          Function 02FAE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID: Legacy$UEFI
                                                          • API String ID: 2994545307-634100481
                                                          • Opcode ID: c6752380e0d8c81cded8c86f54b3a31b50fe56e4794b733d5e3dd42edc48ccbc
                                                          • Instruction ID: 860a06b1416434b9eb05b5e3cea6e21350d15564821b167630085e0e2adee094
                                                          • Opcode Fuzzy Hash: c6752380e0d8c81cded8c86f54b3a31b50fe56e4794b733d5e3dd42edc48ccbc
                                                          • Instruction Fuzzy Hash: 0F613BB2E002189FDB14DFA8C890FAEBBB5FB44784F544079E759EB291D731A940CB50
                                                          Function 02F4F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $$$
                                                          • API String ID: 0-233714265
                                                          • Opcode ID: 8bf17b9a322d737a70f9db4246740b6e748a17af9e5cb0099c2a1fdcdcc9e95a
                                                          • Instruction ID: c668f9ac303f182c29fbe67b90832aa1a7b2c310034e5451ff54be4304a2c828
                                                          • Opcode Fuzzy Hash: 8bf17b9a322d737a70f9db4246740b6e748a17af9e5cb0099c2a1fdcdcc9e95a
                                                          • Instruction Fuzzy Hash: 9661B071E01749DFDB21EFA4C980FADBBB2FF44384F144169D6196BA40DBB4A941CB50
                                                          Function 02F3A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RtlpResUltimateFallbackInfo Enter, xrefs: 02F3A2FB
                                                          • RtlpResUltimateFallbackInfo Exit, xrefs: 02F3A309
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                          • API String ID: 0-2876891731
                                                          • Opcode ID: c3cd3b03de78f76e78474b72e7e43cbddf209ffa159984ef88240eade577d355
                                                          • Instruction ID: 3de49321b9b6cddf1d851b218a015bfa5862d7d1fbade71d0bd545344d7ff3ba
                                                          • Opcode Fuzzy Hash: c3cd3b03de78f76e78474b72e7e43cbddf209ffa159984ef88240eade577d355
                                                          • Instruction Fuzzy Hash: 0C41AC31E04649DBDB12CF6AC880BAA77F5FF84784F2440A9EA45DB2A1E776D900CB50
                                                          Function 02F6329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .Local\$@
                                                          • API String ID: 0-380025441
                                                          • Opcode ID: 0de79ec5a63e7dc8c4567f42c9f80953255179025bd56ba3c79f7986c4d5511c
                                                          • Instruction ID: fbece96beb089292426be95d0d7f072e2bc5668726e575c1648a58fad8c0c2fb
                                                          • Opcode Fuzzy Hash: 0de79ec5a63e7dc8c4567f42c9f80953255179025bd56ba3c79f7986c4d5511c
                                                          • Instruction Fuzzy Hash: 5C31B3B26083049FD310DF28C985A6BBBE8FBC5B94F44096EFA9583250DB31DD04CB92
                                                          Function 02F3C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: MUI
                                                          • API String ID: 0-1339004836
                                                          • Opcode ID: c1a81a5e1fcab61c71b31dde98a13e656962cb0a90115389de52542746f846d1
                                                          • Instruction ID: 450f8f6befe6159c156fc4bfebfb5c7093b103eac9b7398ed27b17ab4f3c541f
                                                          • Opcode Fuzzy Hash: c1a81a5e1fcab61c71b31dde98a13e656962cb0a90115389de52542746f846d1
                                                          • Instruction Fuzzy Hash: CE824B75E002188BDB26CFA9C980BEDB7B5BF48794F14816AEA59BB250D7309D81CF50
                                                          Function 02F37370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cef0bc77ac35f273f27871049b8462ab9641df35bb0afd25f16da04f12a6ffc0
                                                          • Instruction ID: 02ddd35858037dcf4ca437f14585751204905c155fb96847d35400d7967eb547
                                                          • Opcode Fuzzy Hash: cef0bc77ac35f273f27871049b8462ab9641df35bb0afd25f16da04f12a6ffc0
                                                          • Instruction Fuzzy Hash: 72A15DB1A08342CFD725EF28C580A2AFBE6BF88394F14496DE68597350D770E945CF92
                                                          Function 02F6F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f6dd735b61eaf181f244bec96af3f89f327abad2b140ee5b3079fb7bf0db7c33
                                                          • Instruction ID: a4beb30a8a483e2a5f0d9cfb148287fc24492107d923f4d4cddcd2874558b336
                                                          • Opcode Fuzzy Hash: f6dd735b61eaf181f244bec96af3f89f327abad2b140ee5b3079fb7bf0db7c33
                                                          • Instruction Fuzzy Hash: F2414FB4D01288DFDB20DFA9D880AAEBBF4FF48744F60426EDA59A7611D7359940CF60
                                                          Function 02F6A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: GlobalTags
                                                          • API String ID: 0-1106856819
                                                          • Opcode ID: 8588853b3b94b8e8213b5982284917a4c5e4ca29e150571b373346def54ef809
                                                          • Instruction ID: 8b8c3628c2668735d016f7e4bd4895bacd36ca8fd53dba921cfc659af3c88ea6
                                                          • Opcode Fuzzy Hash: 8588853b3b94b8e8213b5982284917a4c5e4ca29e150571b373346def54ef809
                                                          • Instruction Fuzzy Hash: 1A7161B5E0021ACFDF24DF98D5A0AADB7BAFF48784F188129EA05E7240DB719941CF50
                                                          Function 02F3973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @
                                                          • API String ID: 0-2766056989
                                                          • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                          • Instruction ID: bdad633e260764d34264c2ac2fa79bdeaf639ef3777db53ef7a52f88b398679e
                                                          • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                          • Instruction Fuzzy Hash: 57615E71D00259AFDF22DF99C840FAEBBB5FF84794F14456AEA10B7290D7B49A01CB50
                                                          Function 02FBF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @
                                                          • API String ID: 0-2766056989
                                                          • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                          • Instruction ID: e7f3bdcc438c5c0644e23d0fd89fd12e90ab74bc46a237717586ce1b398d3c9e
                                                          • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                          • Instruction Fuzzy Hash: 0B517A72614345AFD7229F55CC40FAAB7E9FF88794F000A29BB8497690DBB4E904CB91
                                                          Function 02F4E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: EXT-
                                                          • API String ID: 0-1948896318
                                                          • Opcode ID: effe3f17870ae637c14caa8f92d6066a4f5e0e0baed552a338a7e4294a89229d
                                                          • Instruction ID: c2efc40024ced83c203ddd773604ce4ce5fa49eaac96da8892ab55ef6ec75961
                                                          • Opcode Fuzzy Hash: effe3f17870ae637c14caa8f92d6066a4f5e0e0baed552a338a7e4294a89229d
                                                          • Instruction Fuzzy Hash: 904182729083159BD710DB748880F6BBBD9BF88798F44092DFB94D7180EBB4D904CB96
                                                          Function 02FEB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PreferredUILanguages
                                                          • API String ID: 0-1884656846
                                                          • Opcode ID: 7c550b3ddff4f5c0ad796305b2697a8a3a608f3b33668932c55c7fb06f8219d6
                                                          • Instruction ID: 4bc2fdc3cbbb0bdbcf34f6ed2b84de43a7bc996f0774e05e0f4e6330926b0e53
                                                          • Opcode Fuzzy Hash: 7c550b3ddff4f5c0ad796305b2697a8a3a608f3b33668932c55c7fb06f8219d6
                                                          • Instruction Fuzzy Hash: 99419376D00219AFDF12DA94CC41BEEB7B9BF44798F050166EB52AB264D770DE40CBA0
                                                          Function 02FAC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: BinaryHash
                                                          • API String ID: 0-2202222882
                                                          • Opcode ID: c840b0c9d539f48a12cb333359c98bcdd4d0b57a7aedb7bf2ed4b9df5aa907e0
                                                          • Instruction ID: 95fad5693dbc874ecc60ab058b887ef7536867d218a953289f1aeb8fda38496e
                                                          • Opcode Fuzzy Hash: c840b0c9d539f48a12cb333359c98bcdd4d0b57a7aedb7bf2ed4b9df5aa907e0
                                                          • Instruction Fuzzy Hash: A54122F1D0112CAADB21DA60CC94FDEB77DBB45794F0045E6EB08AB140DB709E898FA4
                                                          Function 02FB97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: verifier.dll
                                                          • API String ID: 0-3265496382
                                                          • Opcode ID: 58c759ea13290d6c95453a683c2abedef7bf40070b7954a93fabc1cc51fe9930
                                                          • Instruction ID: cf930d75ccb3031f0cca1fa1fbd6b6535b00670689143c10cb5fe627f57b0a0a
                                                          • Opcode Fuzzy Hash: 58c759ea13290d6c95453a683c2abedef7bf40070b7954a93fabc1cc51fe9930
                                                          • Instruction Fuzzy Hash: 40316171B002019FDB259F6ADC50F66B6E5EF59794F94843EE7099F280E7B1C8808B94
                                                          Function 02F35096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Actx
                                                          • API String ID: 0-89312691
                                                          • Opcode ID: c27e62b406eccb83ac48e240dfb266a382a7afe6d86e4e6d5d98a7f161e107b7
                                                          • Instruction ID: 2991f0a9835617fe5b52d92eec8821fe5bba5cedcb67308b87d6bc880a5783ae
                                                          • Opcode Fuzzy Hash: c27e62b406eccb83ac48e240dfb266a382a7afe6d86e4e6d5d98a7f161e107b7
                                                          • Instruction Fuzzy Hash: EE11D3B1B086138BEB26591C8850736B2D5EBCDBE8FB4812AE752CB390D773D840C380
                                                          Function 02FB106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrCreateEnclave
                                                          • API String ID: 0-3262589265
                                                          • Opcode ID: 83f788aeb81070891a69f2c45c05f4529ace7b3e4a77ac7b5a1112b4afa1a992
                                                          • Instruction ID: ca6a5e09e23822e52b7da3e7260e64974cb1a618fa33c73d93313207d583904a
                                                          • Opcode Fuzzy Hash: 83f788aeb81070891a69f2c45c05f4529ace7b3e4a77ac7b5a1112b4afa1a992
                                                          • Instruction Fuzzy Hash: F72134B19083449FD320DF1AD804A9BFBE8EFD5B80F100A1EBA9497250DBB09504CF92
                                                          Function 02F8739A Relevance: .7, Instructions: 705COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 501197a13f98a657412165d1ff6c36ac06caaafd160c5485bc50c1f86ef59d39
                                                          • Instruction ID: 4e69978f4ccd2fe5b0038a0b5c5d86ccad90b776446e406894637823571ed2c7
                                                          • Opcode Fuzzy Hash: 501197a13f98a657412165d1ff6c36ac06caaafd160c5485bc50c1f86ef59d39
                                                          • Instruction Fuzzy Hash: AB428075E006168FDB14EF59C890BAEF7B2FF88354B248559D652AB350D734E841CF90
                                                          Function 02F5B2C0 Relevance: .6, Instructions: 629COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 657751a6d6d02dfcff502751e7768a42e756448a470d34da733d91c1866c534f
                                                          • Instruction ID: 6fefdc7d77d2af8fba35a90b1ba4b7eb4930fef4a72bebe3ddfad482f4e93d67
                                                          • Opcode Fuzzy Hash: 657751a6d6d02dfcff502751e7768a42e756448a470d34da733d91c1866c534f
                                                          • Instruction Fuzzy Hash: 9C32B472E01229DBCF24DF68D894BAEBBB1FF54798F180029EE05AB345D7359901CB90
                                                          Function 02FDA118 Relevance: .6, Instructions: 591COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7e808f3fce4b7e7b945f46df8f4fbd23cb2581751c299dd13eae2331a65345e7
                                                          • Instruction ID: f4f77659cbbde30f3ba2e6f31d1c060d8cc317a8a732549a029dd5185dbea64d
                                                          • Opcode Fuzzy Hash: 7e808f3fce4b7e7b945f46df8f4fbd23cb2581751c299dd13eae2331a65345e7
                                                          • Instruction Fuzzy Hash: 5D220275A04651CFDB25CF29C090372B7F3AF45384F1C849ADA968F286E735E452CB68
                                                          Function 02FF16CC Relevance: .6, Instructions: 571COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4bf604541e3cc796bd17a86215762e4020ee4c3f87d94bc5bd02d3f2726f1eef
                                                          • Instruction ID: 8ddcdb9facb090581c0f9d143463a55710b5176a6d9e2b94b6efd5093a06ea89
                                                          • Opcode Fuzzy Hash: 4bf604541e3cc796bd17a86215762e4020ee4c3f87d94bc5bd02d3f2726f1eef
                                                          • Instruction Fuzzy Hash: 7322A235F00216CFCB59CF59C490AABB7B2BF88358B24456DDB5A9B354DB30E942CB90
                                                          Function 02F28397 Relevance: .4, Instructions: 380COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b5591891ae39daf8e76366da42411dca96cb81c5e4572053d0919ac9916a8271
                                                          • Instruction ID: cea44e99cc51bf21a8a0ccee98908805f64f0dc548213d1ed02387ff4d6b36e8
                                                          • Opcode Fuzzy Hash: b5591891ae39daf8e76366da42411dca96cb81c5e4572053d0919ac9916a8271
                                                          • Instruction Fuzzy Hash: 43D1C572A0022A9BCB14DF64CC91FBAB7E5BF453D8F044669EB15DB280E734D949CB60
                                                          Function 02F3D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 27737e9c18500f6e6d920b58f1b7a6d8c4cf9af5c899b9e797cae4864d68b185
                                                          • Instruction ID: ea3823364435fc9b80c498fe3717e0943fc604f109f2dc80446ed9e3be90b203
                                                          • Opcode Fuzzy Hash: 27737e9c18500f6e6d920b58f1b7a6d8c4cf9af5c899b9e797cae4864d68b185
                                                          • Instruction Fuzzy Hash: 7FC1D371E012169BEF29CF58C840BAEB7B6FF54794F148269DA15AB380D770E942CF90
                                                          Function 02F590DB Relevance: .3, Instructions: 287COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e5658462b546b3eec07d8481b40e07e9aa0f58768fa73cef01f875c3223ffb2c
                                                          • Instruction ID: ec5bfb3395b7213a36b77302897294ed902cb1686cb2555b6803ce33cd042edf
                                                          • Opcode Fuzzy Hash: e5658462b546b3eec07d8481b40e07e9aa0f58768fa73cef01f875c3223ffb2c
                                                          • Instruction Fuzzy Hash: CDA11C71900615AFEB26EF64CC81FAE77B9EF55794F110054FB00AB2A0DB759D50CBA0
                                                          Function 02F383C0 Relevance: .3, Instructions: 281COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dab4cb9d0c1f3ddd4de0393831396b8833989777eefdb2fc488cb7de05b575a8
                                                          • Instruction ID: e68afa227eba0b99ab23e88d9d610e09cddae24fbf26438f86062230b3c704a1
                                                          • Opcode Fuzzy Hash: dab4cb9d0c1f3ddd4de0393831396b8833989777eefdb2fc488cb7de05b575a8
                                                          • Instruction Fuzzy Hash: 66C139756083418FEB64CF15C494BABB7E5BF88384F44496DEA8987390D778E908CF92
                                                          Function 02F70185 Relevance: .3, Instructions: 276COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 462436fe294ddac78265a3afc9f353933824e65fcc994e87c62bfd1db2177468
                                                          • Instruction ID: d20435a2c233acc39076e663ebe9cd5fde847c8f7c4214497e3176bb9808bbb1
                                                          • Opcode Fuzzy Hash: 462436fe294ddac78265a3afc9f353933824e65fcc994e87c62bfd1db2177468
                                                          • Instruction Fuzzy Hash: A3A19EB1B0161A9BDB24DF69C990BAAB7F1FF54398F10403EEB0597281DB74E811CB90
                                                          Function 02F4E3F0 Relevance: .3, Instructions: 261COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3af20b455ba82232cbeb8124665f1f2327594a764b6d5038c6fc75ba52ab5621
                                                          • Instruction ID: d258e786b208ffbce147f844f092e42d824c63586e9f5ebf7bcc468dc63cacef
                                                          • Opcode Fuzzy Hash: 3af20b455ba82232cbeb8124665f1f2327594a764b6d5038c6fc75ba52ab5621
                                                          • Instruction Fuzzy Hash: D6910336E006158BEB24DB19C944B7DBBA2FF84794F064069EB05DB390EFB8D941CB91
                                                          Function 02F31131 Relevance: .3, Instructions: 259COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0aa123b6ad31c2391aa7024e07f8498abd34c5e3c529587b224577b8a1462912
                                                          • Instruction ID: d33363638939a80f94e75fefee737a6413e6617b988cd5aab777fa95ac774589
                                                          • Opcode Fuzzy Hash: 0aa123b6ad31c2391aa7024e07f8498abd34c5e3c529587b224577b8a1462912
                                                          • Instruction Fuzzy Hash: A7B11271A093408FD365DF28C980A5AFBF1BB88344F584A6EF999CB352D770E945CB42
                                                          Function 02F5D090 Relevance: .2, Instructions: 217COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                          • Instruction ID: a156588f7f7c03f4da4943bd0b04942800d32a14b3680af07018e7a964a57819
                                                          • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                          • Instruction Fuzzy Hash: B3817B72E011298BFF15DF68C9807ADB7B2FB88388F15816BDA16B7344D7319A41CB91
                                                          Function 02F6E284 Relevance: .2, Instructions: 212COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cde15c23e531d355f7002a8cfd9a7cbd7ca9036a0f08e576f86a0a059017e77a
                                                          • Instruction ID: a0420b502b1ae881c74ba0c7debbbba23ed3ccf213bf9e36a0c568af1e288f27
                                                          • Opcode Fuzzy Hash: cde15c23e531d355f7002a8cfd9a7cbd7ca9036a0f08e576f86a0a059017e77a
                                                          • Instruction Fuzzy Hash: 77818176A00609AFDB21CFA5C885FEEBBFAFF48384F144429E655A7250D770AC05CB60
                                                          Function 02F4C640 Relevance: .2, Instructions: 206COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8f0f0777d1cb729aba78635dc27eb230d68fc830dc624e739a63c5fd62a87b61
                                                          • Instruction ID: 3df7ae987e7b09cbd52f235e9475a8f10cb09793f6b8946fb5aa88b059cf9d29
                                                          • Opcode Fuzzy Hash: 8f0f0777d1cb729aba78635dc27eb230d68fc830dc624e739a63c5fd62a87b61
                                                          • Instruction Fuzzy Hash: 8E71E175D02269DBDB25CF59C890BBEBBB5FF59780F14411BEA42AB350DB749800CBA0
                                                          Function 02F4260B Relevance: .2, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ad9740dd002c15cd9892a9f97a489b56f98491b13fc5c459f4b55fa2fac76857
                                                          • Instruction ID: 17cf40b32af4e3689aa94cae4b49a74a7a9b10cd807bbc99207536a3695d0cc2
                                                          • Opcode Fuzzy Hash: ad9740dd002c15cd9892a9f97a489b56f98491b13fc5c459f4b55fa2fac76857
                                                          • Instruction Fuzzy Hash: 42719C71A046418FD711DF28C880B2ABBE6FF84394F0485AAFA99CB751DBB4DC45CB91
                                                          Function 02FC62A0 Relevance: .2, Instructions: 198COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a1c33f1540676e7383635f03c8a085b80dc56531180aca0e4f188a4222807ea0
                                                          • Instruction ID: 1f82dbfa2ef4aaec118d3df85718f528dc6c0bb4d4125c03cbdd231054a508c5
                                                          • Opcode Fuzzy Hash: a1c33f1540676e7383635f03c8a085b80dc56531180aca0e4f188a4222807ea0
                                                          • Instruction Fuzzy Hash: E671E032604602AFD7319F14CE44F66B7AAEF847A4F24442CE756D72A0DB75E944CB50
                                                          Function 02FB035C Relevance: .2, Instructions: 198COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                          • Instruction ID: 5e00b13767b58bc1cb09607ae888c4cb4423783b05b3490f6e3a8136496d4f37
                                                          • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                          • Instruction Fuzzy Hash: 4F716A71E00609AFCB11DFA9CD84AEEBBB9FF48784F104569E605A7250DB34EA41CF90
                                                          Function 02FF132D Relevance: .2, Instructions: 188COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9a40aa28de24b2da3ee3e5f3d6dd4291ef968b3053e9a332261e1d3463442b0a
                                                          • Instruction ID: eef2e4f5c1e4a2b7be9d2443ec76fc7576177582970d34de5b625fd3bf47f582
                                                          • Opcode Fuzzy Hash: 9a40aa28de24b2da3ee3e5f3d6dd4291ef968b3053e9a332261e1d3463442b0a
                                                          • Instruction Fuzzy Hash: 92817C75A00209DFCB09CFA8C590AAEBBF1FF88340F1581A9D959EB355D734EA41CB90
                                                          Function 02FF903E Relevance: .2, Instructions: 186COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b2e867d03b50159e30a9e513d6b243bd0f27e402413554aabdc52335de7dfbda
                                                          • Instruction ID: 72c2dc48e5659fddfcb73001306010744ad95bcca950a900c659d6753eedc2a8
                                                          • Opcode Fuzzy Hash: b2e867d03b50159e30a9e513d6b243bd0f27e402413554aabdc52335de7dfbda
                                                          • Instruction Fuzzy Hash: 2061E072600715AFD7A5DF64C884BABBBA9FF88784F004619FB6987260DB70E500CF91
                                                          Function 02FF92A6 Relevance: .2, Instructions: 174COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9a5ce851a3633b05b07ed232eb390606e3af5da80aabd754955dba4f1eaa1a25
                                                          • Instruction ID: e93b0af4e4b98c1aa1a9bfc19823b29321c354778487fabf8e2dc3b30e3abc7b
                                                          • Opcode Fuzzy Hash: 9a5ce851a3633b05b07ed232eb390606e3af5da80aabd754955dba4f1eaa1a25
                                                          • Instruction Fuzzy Hash: 1B6129327047428BD351CF64C894B6AB7E5BF90788F18446DEB858B3A1DBB5E806CB91
                                                          Function 02F2B2D3 Relevance: .2, Instructions: 161COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1e51b974cb7d65ddfe4588dc4e2f30e6f17440082bb98d2473d1f75f066ed333
                                                          • Instruction ID: 9d0dccd1952b5d77473cfbf41214a5f3eb08877853f61e9d9eb3443e25069b45
                                                          • Opcode Fuzzy Hash: 1e51b974cb7d65ddfe4588dc4e2f30e6f17440082bb98d2473d1f75f066ed333
                                                          • Instruction Fuzzy Hash: 4F412731A016109FD726AF25DE80B26BBA6EF45798F21447AEB59DB250DB70DC40CF90
                                                          Function 02F43740 Relevance: .2, Instructions: 159COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f263bdd8b655c6735c97737a70483257194f5ab77791df289a6272c3dbffba98
                                                          • Instruction ID: 7e6fa103ca1d75a804d8c7366b450de3426a94b358be0ff0ce6ed08796bc3471
                                                          • Opcode Fuzzy Hash: f263bdd8b655c6735c97737a70483257194f5ab77791df289a6272c3dbffba98
                                                          • Instruction Fuzzy Hash: A2512376E046169FC711CF68C880B69BBB1FF04790F2582A5E995DB740EB74E991CBC0
                                                          Function 02F37152 Relevance: .2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: db97e57ce1bc31be107a4a22914ed924996237988bef5add6e716b9e20746476
                                                          • Instruction ID: 5fd676788a0d7a7c9d61875d2c18bb9f0a3c4e9e13a233c249bc96f711027f25
                                                          • Opcode Fuzzy Hash: db97e57ce1bc31be107a4a22914ed924996237988bef5add6e716b9e20746476
                                                          • Instruction Fuzzy Hash: 8051FF72E0060AEFEF16EB64C844BAEF7B1BF44394F104069EA0693290DB749911CF81
                                                          Function 02FFD26B Relevance: .2, Instructions: 153COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                          • Instruction ID: 2c605f9413ea10abcdb7a58642433665680720996080657627c2a3ac99fa8b7e
                                                          • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                          • Instruction Fuzzy Hash: 65516B726083429FC755CF28C884B5ABBE6FF88384F04892DFA9597350D734E905CB52
                                                          Function 02F351ED Relevance: .1, Instructions: 149COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 47a9f7cb6a05fd7201985de4be3b4c843a7afc1f14a7f06102f0b3389cf62ea5
                                                          • Instruction ID: 7e678650e21a1df77af23b166745af04f8455c179a9591e160b75d21f3b545ec
                                                          • Opcode Fuzzy Hash: 47a9f7cb6a05fd7201985de4be3b4c843a7afc1f14a7f06102f0b3389cf62ea5
                                                          • Instruction Fuzzy Hash: 39517D31F01219DFEF22DAA9C840BADB7B6BB8C798F540019DA15E7250DBB5E940CB61
                                                          Function 02F601F8 Relevance: .1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1b6f6cae0cb73bb8a68ebcf7e59a040dbb4b392a48df345631e88c2041600fc4
                                                          • Instruction ID: 807c17468b3c698a14d1b8f487e5d424019dfdf9431e2f78bfb3c2905dbc1fa3
                                                          • Opcode Fuzzy Hash: 1b6f6cae0cb73bb8a68ebcf7e59a040dbb4b392a48df345631e88c2041600fc4
                                                          • Instruction Fuzzy Hash: 6A41BC36E002149BCB14DF98C844AFDB7B5FF48784F24816EEA15E7240DB359C41CBA4
                                                          Function 02F72750 Relevance: .1, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                          • Instruction ID: 9c277d18a1124d97ad3d8264a17f6fc8d09555add8af4e6706d3b9600e1afc6c
                                                          • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                          • Instruction Fuzzy Hash: 46516AB5E00219CFCB14CF98C590AAEF7B2FF84754F2881A9D915A7350D735AE86CB90
                                                          Function 02FAD1C0 Relevance: .1, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                          • Instruction ID: ce8b86e834377908a1bded3e6b875e6ba16ae32d6556d59bc83a07d183a72dc8
                                                          • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                          • Instruction Fuzzy Hash: 855138B5E00206DFDB18CF68C4916AABBF1FF48314B14816ED919A7745E734EA90CF90
                                                          Function 02F36154 Relevance: .1, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9acb34cd113c4e905966751728d44560d4b41184afea6f436091178a82e155ea
                                                          • Instruction ID: e64de897ffd04e8a718951dd2315b408df77bbbdef6d58905426504cd788368d
                                                          • Opcode Fuzzy Hash: 9acb34cd113c4e905966751728d44560d4b41184afea6f436091178a82e155ea
                                                          • Instruction Fuzzy Hash: 8851F770E0011AEBDF26DB64CC04BA8BBB5FF01398F1442A9DA29D72D1DB759981CF84
                                                          Function 02F2B136 Relevance: .1, Instructions: 131COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a9f087db5a2a7d02dcacb998d5876d3864f703f19b9e9df646de6c4704f808d4
                                                          • Instruction ID: 6caf8dd120efa98b50e1cc9d4c8b30f89900196661ceef00af7388bf5e33d1ab
                                                          • Opcode Fuzzy Hash: a9f087db5a2a7d02dcacb998d5876d3864f703f19b9e9df646de6c4704f808d4
                                                          • Instruction Fuzzy Hash: 1C41BF72640315EFD726AF64CC84B2ABBE9EF117D8F00446AEB159B290D7B4D804CF60
                                                          Function 02FF866E Relevance: .1, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                          • Instruction ID: 38ab3922e43f9310f17860b689722be27d585b9d93b07b8aa6c9881710d5e920
                                                          • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                          • Instruction Fuzzy Hash: 6C41A476B00109ABDB55DB95CC85AAFB7BAAF847C4F1440A9EB01A7361D770DD01CB50
                                                          Function 02F5D6E0 Relevance: .1, Instructions: 126COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c3a2cf5575088b162b3029c546a9db0e875e715be685e54225c5fe3173aa6a3b
                                                          • Instruction ID: 1fb9335d72f3de9945d7bda65c01d88e4c7861bc8875e6d9fc673c11b1e3f9a8
                                                          • Opcode Fuzzy Hash: c3a2cf5575088b162b3029c546a9db0e875e715be685e54225c5fe3173aa6a3b
                                                          • Instruction Fuzzy Hash: 8741E271A062109FE724EF29CC90F6AB7A9EB453A0F10062EFF1587691DB34A841CFD1
                                                          Function 02F2A020 Relevance: .1, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                          • Instruction ID: 86196fc4990ad085184d34ff8d9c2cd9cec44bd509dc4e53985dc79377a20265
                                                          • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                          • Instruction Fuzzy Hash: 8B411532E00221DBDB20EEA4C4447BEF762EB55BD8F15806AEB45CB240D7319D84CB90
                                                          Function 02F3262C Relevance: .1, Instructions: 119COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a0d19a5a65dac0d984f94b59ef19f9c63d0c0535b98e53a408d012f2bed2e6a0
                                                          • Instruction ID: e61fb667582fe35c4a1bd90f6c2c4e044fa862ebbfe66d6e43c0d91caea71980
                                                          • Opcode Fuzzy Hash: a0d19a5a65dac0d984f94b59ef19f9c63d0c0535b98e53a408d012f2bed2e6a0
                                                          • Instruction Fuzzy Hash: 69418071901718DFCB22EF68C940B69B7F2FF44394F208269CA169B6A1DB709D41CF51
                                                          Function 02FB07C3 Relevance: .1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f0f289f7c8b73c341f85d868449e5e833d167f5e66a7d0e65e4644d0566c8056
                                                          • Instruction ID: 67b37f0172a254df55c6c8e43cd6c5ae1b02655bfa6e6157b0e69f34e7637229
                                                          • Opcode Fuzzy Hash: f0f289f7c8b73c341f85d868449e5e833d167f5e66a7d0e65e4644d0566c8056
                                                          • Instruction Fuzzy Hash: 56416D725043159BD720EF25C845F9BBBE8FF88794F104A2EF69897290DB70D904CB92
                                                          Function 02F402E1 Relevance: .1, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                          • Instruction ID: 523b4ed8d4ac7f5cbac0b75b341b4df1ec27601fdaeea9dba91b80101ede70e1
                                                          • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                          • Instruction Fuzzy Hash: 74312A32A04244AFDB269B68CC40FEEBFE9EF04394F048569EA55D7351CBB4D984CB64
                                                          Function 02F59274 Relevance: .1, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9965b6413fd18da25c81568706ed4461e5534f12fd5f862853df5fd70726541c
                                                          • Instruction ID: e5e7a8a713a5c0f8a8a6bd41e609df1f0fc29686516698091d22b1e61100e5f4
                                                          • Opcode Fuzzy Hash: 9965b6413fd18da25c81568706ed4461e5534f12fd5f862853df5fd70726541c
                                                          • Instruction Fuzzy Hash: CB318472A01238EFDB259B24CC40B9AB7B9EF85794F5101D9AB4CA7280DB719E44CF91
                                                          Function 02F34260 Relevance: .1, Instructions: 102COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fc4cf81caba7867e85d4be23e82227d7a1cab3c302e7fb84a60e165f43efb6c6
                                                          • Instruction ID: 8b141b73051ccee799934f28a491a4bf00e431e9276adafd84bd6f3cbe8b2b92
                                                          • Opcode Fuzzy Hash: fc4cf81caba7867e85d4be23e82227d7a1cab3c302e7fb84a60e165f43efb6c6
                                                          • Instruction Fuzzy Hash: F241AD32600B44DFDB22DF28C880FA67BE5AB49794F10446DEB9A8B290CB74E804DB50
                                                          Function 02F550E4 Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                          • Instruction ID: 43d85536d920abfed1ba1b5d4a690115e6a00dffbc29719e31bae66e639b1826
                                                          • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                          • Instruction Fuzzy Hash: B231E632B083619BFB21DE28C800767BBD5AB857D8F888529FF858B391D774D841C792
                                                          Function 02FF61C3 Relevance: .1, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7d3f53e3a1c23f435bb7d3521bdf9f962fc6dc00b62c162d7206a5f2c7c2c461
                                                          • Instruction ID: 40b158472b7f86e7ec1dad576ed852577ffebacf877047622f9d07b234eac104
                                                          • Opcode Fuzzy Hash: 7d3f53e3a1c23f435bb7d3521bdf9f962fc6dc00b62c162d7206a5f2c7c2c461
                                                          • Instruction Fuzzy Hash: 8531C376E00115EBDB15DF98CC80BAEB7B9EF44784F454169E610EB254DB70AD00CB94
                                                          Function 02F29730 Relevance: .1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b55a52bd58bbdd2eed42b3bf595eac2f826f5cc7595727b41d0560455df08237
                                                          • Instruction ID: c1b63c07c9e4b8b312061e018cc8c0e73e8f42f3e375e86cb40a159ab3449803
                                                          • Opcode Fuzzy Hash: b55a52bd58bbdd2eed42b3bf595eac2f826f5cc7595727b41d0560455df08237
                                                          • Instruction Fuzzy Hash: 64210736A007289FC321AF58C800B1ABBB5FF85B94F210969EB559B740DBB4EC05CB90
                                                          Function 02FF60B8 Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6373a6a766afe9406791bba8d196c739f70d50c1c4bcdd7279cf4c19d5f3d151
                                                          • Instruction ID: 37da740a37edb8a3865e7235d2ad492b2ec833c4d4e9849da02e71a97ec3522d
                                                          • Opcode Fuzzy Hash: 6373a6a766afe9406791bba8d196c739f70d50c1c4bcdd7279cf4c19d5f3d151
                                                          • Instruction Fuzzy Hash: BC31A771B01615AFE712DF59CC50B6E7BBAAF44B94F1000A9E715DB361DE70DD008B90
                                                          Function 02F307AF Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1885bb7e24a3f150d242d5107037ef1e9b21fbfaa1cfc3b8772bcfef0e7584ea
                                                          • Instruction ID: 8ce2632f27948670c8cf4f0c737d71aaf9f34f86904fc2168f064716b9116bcd
                                                          • Opcode Fuzzy Hash: 1885bb7e24a3f150d242d5107037ef1e9b21fbfaa1cfc3b8772bcfef0e7584ea
                                                          • Instruction Fuzzy Hash: 4F31AD32A04651DBC713EE288880E6BBBA6AF957E0F01452EFF55A7210DE30DC01CBE1
                                                          Function 02F2D6AA Relevance: .1, Instructions: 93COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                          • Instruction ID: e959988c253189623e3f52d92db2f24047b4ff6d66f648434d4c123b0af234b8
                                                          • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                          • Instruction Fuzzy Hash: 80310476E00228AFDB21DE58C880F2AB7B9EB817D4F198469EF059B240D378DD48CB50
                                                          Function 02F6A6C7 Relevance: .1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                          • Instruction ID: c2ed8d9a773ed0a25e576b405af63caf72c5c2032b8a5c91f8455b09daadd72c
                                                          • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                          • Instruction Fuzzy Hash: 0E311AB2B00B04AFD760CF69DD54B66B7F8EF08B94F08052DA69AD3650E730E900CB60
                                                          Function 02F357C0 Relevance: .1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9fcb4551d86e701b0f15eaae54abf3fac2221953b002a0fbc53f97feff5df5f6
                                                          • Instruction ID: 8faca7c13049cff5ec7932f05fc379e5ea45a407a1c37724eebebdcc88003418
                                                          • Opcode Fuzzy Hash: 9fcb4551d86e701b0f15eaae54abf3fac2221953b002a0fbc53f97feff5df5f6
                                                          • Instruction Fuzzy Hash: E0318435715A05FFDB52AB24CE40E99BBA6FF88390F545059EA0187B50DB35E831CF80
                                                          Function 02F392C5 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                          • Instruction ID: 97bf70c61a923388b81e6745380dde099025e66ea58f10e69c98b06113d93b6d
                                                          • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                          • Instruction Fuzzy Hash: 82317EB26082499FCB02DF18D840A5A7BEAFF89394F00056AFE51973A1D774DC14CBA2
                                                          Function 02F5438F Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f2e6e9044a5c28f541b35786a04f13a6e9a626224dfce8323a5e3a47d2f81d24
                                                          • Instruction ID: 6fa53f03f2eefde83b424c68d4b6341559d02acd1f06a657e9ff7d173c06b0d2
                                                          • Opcode Fuzzy Hash: f2e6e9044a5c28f541b35786a04f13a6e9a626224dfce8323a5e3a47d2f81d24
                                                          • Instruction Fuzzy Hash: 8B31B332B002559FDB20EFA4CD80A6A77FAAB84388F104569DB45E7294D770E985CF50
                                                          Function 02F87190 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                          • Instruction ID: 10ca9e96729881bf3cde05689830e1392a702f7cd0904ccb0f57c8e1e8b19538
                                                          • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                          • Instruction Fuzzy Hash: 39317A79A04606CFC710DF18C480A56FBF5FF89394B2585A9EA589B319EB30ED06CF91
                                                          Function 02FEC3CD Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                          • Instruction ID: 6168e57246046dd17b1266cb148b3408d16e995e7b3224b34c07ab6a58ac77ea
                                                          • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                          • Instruction Fuzzy Hash: 68212B36600655AACF26AFA58D04FBAB7B6EF40794F40801BFFA787691E734D940C760
                                                          Function 02F2C156 Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 62a31a57bf35e138b40159e16622af6b078161d9ad437b9e113613887eb20c11
                                                          • Instruction ID: 63c380d587caa1ec0c6ae785285dbe2953fae71c1d384795cb10aa490bc71dd2
                                                          • Opcode Fuzzy Hash: 62a31a57bf35e138b40159e16622af6b078161d9ad437b9e113613887eb20c11
                                                          • Instruction Fuzzy Hash: C83127729002148BDB30BF24CC41BA9B7B5EF80394F9481A9DE459B3C1DF749986CFA0
                                                          Function 02F2E388 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                          • Instruction ID: 0ab91d25e48ae7b4c356583bb2b4288d14981fc7850aee83f2d1ea2e06a0071e
                                                          • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                          • Instruction Fuzzy Hash: FC319A31600614EFDB21DF68C984F6AB7B9EF45394F2045A9E6528B690E770FE05CB50
                                                          Function 02FAE609 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5abc3f1ca487479594f6b3347f39a2e6549a08957f4be8c3522d1df1423cb887
                                                          • Instruction ID: 38e1f519da858f38f7117cf44c10336bb639686c85b135ea9f0e27e9d856234f
                                                          • Opcode Fuzzy Hash: 5abc3f1ca487479594f6b3347f39a2e6549a08957f4be8c3522d1df1423cb887
                                                          • Instruction Fuzzy Hash: F2319EB5A10209DFCB14CF1CC894AAE77B6EF84344B114969E9059B392E771EA41CF94
                                                          Function 02F33616 Relevance: .1, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 080f804b461b715388e419bf59326f9f328f3221bb976e2b118ffab5a2bf6a65
                                                          • Instruction ID: 44ee0723b16dc451ada28354232764c41d2e1020d618ec903ac3596e32353a85
                                                          • Opcode Fuzzy Hash: 080f804b461b715388e419bf59326f9f328f3221bb976e2b118ffab5a2bf6a65
                                                          • Instruction Fuzzy Hash: AC21F2316066689FCB22EF04C944B2ABFA1FF80B94F5504A9EA414B751CBB1E844CFC1
                                                          Function 02F5F32A Relevance: .1, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                          • Instruction ID: f4aa1b42746f3aab212395b2a532d32ce69709221605a56bc148b556d10c9af8
                                                          • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                          • Instruction Fuzzy Hash: B121C2722002109FD719DF15C841B66BBEAEF863A4F1542ADE706CB6A0EB74E801CB94
                                                          Function 02FB06F1 Relevance: .1, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6f512c4d21988da5a53aa2eb2fd3c70712fd6e189ec71cd19e01cb6fdb9f0d39
                                                          • Instruction ID: 909629d129eef72cd7eaf3a3d6c670ef2b00ae965ffd3f38b7303f24406a6317
                                                          • Opcode Fuzzy Hash: 6f512c4d21988da5a53aa2eb2fd3c70712fd6e189ec71cd19e01cb6fdb9f0d39
                                                          • Instruction Fuzzy Hash: 992180759001299BCF21DF59C881ABFF7F5FF48784B600069EA41A7240DB78AD41CFA0
                                                          Function 02FB019F Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 59c1b8804c59cdb90cfb565c4bf17b0ab2ea98915e2e888197e951d093c8ff91
                                                          • Instruction ID: 645364297284e458cf4658d2a174e31b21be128eb3c36b41ae848abec7f64679
                                                          • Opcode Fuzzy Hash: 59c1b8804c59cdb90cfb565c4bf17b0ab2ea98915e2e888197e951d093c8ff91
                                                          • Instruction Fuzzy Hash: 23218B71A00644ABD716DB69DC44F6AB7B8FF48784F1400A9FA04DB6A0DB78ED40CB68
                                                          Function 02F69660 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2bb2ad98616cf1eefcfbedc983f18197db7d086862ace499000e4dc70713ab99
                                                          • Instruction ID: 50ef1843eddeff297642fc91122f08c01cd10b697699ed244cc25e2b26a7d951
                                                          • Opcode Fuzzy Hash: 2bb2ad98616cf1eefcfbedc983f18197db7d086862ace499000e4dc70713ab99
                                                          • Instruction Fuzzy Hash: E821E531A05789DBCF31AB25CC14B3677A2FB403E4F104719EB52865A0DBB3A841CF51
                                                          Function 02FB0283 Relevance: .1, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3a1b7d5a70008ac0193ee6fe49510bbae15f04e985b334cfc07bae4ea6fe11b3
                                                          • Instruction ID: 63c682cb2993d66ae576ee4e803ce3f97a5f51cbb0c87460d81572f04fe9c503
                                                          • Opcode Fuzzy Hash: 3a1b7d5a70008ac0193ee6fe49510bbae15f04e985b334cfc07bae4ea6fe11b3
                                                          • Instruction Fuzzy Hash: C821B6729043459BD712DF5AC848BABBBDCAF903C4F08445ABE80C7251DB74D948CBA1
                                                          Function 02FAD0C0 Relevance: .1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                          • Instruction ID: b644e31bf89c73794079ca773d225ee5dedc353a3d443d3eb0418ccf9f5dd8aa
                                                          • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                          • Instruction Fuzzy Hash: B721D7B2644700ABE3119F18CC51B5B7BA5FF8C790F10012EFA45977A0D770E901CBA9
                                                          Function 02F6A30B Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c65ae050e3e5ecb435e2106b185b0f741926b70bfaab270e8a93500cd7145152
                                                          • Instruction ID: 0e23bb801227211c2cc243407d6203e06ce7b6a2514b4e509c0e3fc82727b592
                                                          • Opcode Fuzzy Hash: c65ae050e3e5ecb435e2106b185b0f741926b70bfaab270e8a93500cd7145152
                                                          • Instruction Fuzzy Hash: E621CF75601A10DFCB24DF29CC01B56B7F5EF09784F2884A8A649DB761E771E842CF94
                                                          Function 02F2B765 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 574a29b78ac42ec70152e120456ebed05434f89b7548cb9f2cddb99a9f8634e0
                                                          • Instruction ID: 1f7b673ab046f82a66bc2fa8f3c7a936194f158d5b7e6493bf11e90aa8f56627
                                                          • Opcode Fuzzy Hash: 574a29b78ac42ec70152e120456ebed05434f89b7548cb9f2cddb99a9f8634e0
                                                          • Instruction Fuzzy Hash: 32216932101610DFC721EF68CD40F59BBF6FF18788F244969E20A97AA1CB75A945CF44
                                                          Function 02F60124 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                          • Instruction ID: c65f53a1ad6e0c6c604f8b807f3aadd1c085c1014918d4729e83c21468e53f7e
                                                          • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                          • Instruction Fuzzy Hash: 8711B273A01604BFE7229F54CC45FAABBB9EB80794F204429E7059B190DA75ED44CB50
                                                          Function 02F38770 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4926ffdcaa0c0ca499943e4e16eb2fa8bcb0d1c34ac3c3bf7b907c2d08f74f4c
                                                          • Instruction ID: b0f53700ef9db7052b49b1143f1ee7dc6651f5133ec598d5428c33b6bdab20f0
                                                          • Opcode Fuzzy Hash: 4926ffdcaa0c0ca499943e4e16eb2fa8bcb0d1c34ac3c3bf7b907c2d08f74f4c
                                                          • Instruction Fuzzy Hash: 7911C831B01618DBCB12CF59C5C0A56B7E6AF4A7D47144069FE08DF305D7B6E901C790
                                                          Function 02F33720 Relevance: .1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 613137398b56a8fcc48e0970b0bb29f61f6d6b0c75ba143eea5567afecabf4ca
                                                          • Instruction ID: a1016d8910569128c30b486d7c8e3df08d7ce4879fe7d1ccc8334b952b387dee
                                                          • Opcode Fuzzy Hash: 613137398b56a8fcc48e0970b0bb29f61f6d6b0c75ba143eea5567afecabf4ca
                                                          • Instruction Fuzzy Hash: BD212970E0520D8BE726DF6DD4487EEB7B4FB8835CF298058CA11572D0CBB89845CB90
                                                          Function 02F380E9 Relevance: .1, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9091cbf04927aab617cb37c2805d952450360523e2cd8bed149ae85ab5ae7830
                                                          • Instruction ID: 2feaeb00a8121e0e2540f80b705975e7e20d0db2f5ecd0092cedae209650298f
                                                          • Opcode Fuzzy Hash: 9091cbf04927aab617cb37c2805d952450360523e2cd8bed149ae85ab5ae7830
                                                          • Instruction Fuzzy Hash: 09216F76A00205DFDB15DF98C581B6EBBB5FB88398F24416DE205A7310CB75AD06CBD0
                                                          Function 02F6674D Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8fdd3ff02390f1af451007aa58a7e3720300e0a0740ff3f9aedec140a48b10d6
                                                          • Instruction ID: 730cf92ac8aa873823e0eb22414ac5e20721ce783e16968be97337d5a7321871
                                                          • Opcode Fuzzy Hash: 8fdd3ff02390f1af451007aa58a7e3720300e0a0740ff3f9aedec140a48b10d6
                                                          • Instruction Fuzzy Hash: AA216771601A04EFC7209F68C880F76B7E9FF84390F50882DE6AAC7250DB74AC40CBA0
                                                          Function 02F29240 Relevance: .1, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 964ffd93736edd4f8c9464a1e3ad230d26561d781e13d5ef8aec57e560e799fd
                                                          • Instruction ID: ee97279daeb167e5af54c8081bad58087222d7a3c366254bfdee04c504025cd3
                                                          • Opcode Fuzzy Hash: 964ffd93736edd4f8c9464a1e3ad230d26561d781e13d5ef8aec57e560e799fd
                                                          • Instruction Fuzzy Hash: 4D11D03A112245AAD734AF52E801A627BA9EB64BC4F304065EA0097298E77DDD01CF64
                                                          Function 02F666B0 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a9e45c7ad19d993054d6f79659e69d7f2509121215fe99eab27e282f7fc27473
                                                          • Instruction ID: 9b84b62c4646289952e19a56bcfb5fec2fde9513693ca4af83e1c890e6b480c5
                                                          • Opcode Fuzzy Hash: a9e45c7ad19d993054d6f79659e69d7f2509121215fe99eab27e282f7fc27473
                                                          • Instruction Fuzzy Hash: 1D11BF76E012489BCB24DF59D984A6ABBE9EF94790F154079EA05DB310DB78DD00CB90
                                                          Function 02F527ED Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7cbaed97d3a162af17846566090040fab401edaf241d8605fe19dfb738854156
                                                          • Instruction ID: cc1963b2db19999faff4f4e800489f2aece903c39403b019dcc270988ee9af9e
                                                          • Opcode Fuzzy Hash: 7cbaed97d3a162af17846566090040fab401edaf241d8605fe19dfb738854156
                                                          • Instruction Fuzzy Hash: D0010432B05654ABE316A2AA9C48F277A9DEF403D5F1900A6FF018B640DB58DC00C6A1
                                                          Function 02F5B052 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 05f41c3f8d53608cfba01f1b5a02b96c9aea42a6b4fbba6c29ff3a137b8db30f
                                                          • Instruction ID: bd29d98a2904a6d723e0b1f5d6f9c2d24ae2d1777c33f81d45098ba24ccfb2f0
                                                          • Opcode Fuzzy Hash: 05f41c3f8d53608cfba01f1b5a02b96c9aea42a6b4fbba6c29ff3a137b8db30f
                                                          • Instruction Fuzzy Hash: 6001D672B003506BD710ABAADC84F6BB6F9EF84B98F040029EB0597141EB70E900CA61
                                                          Function 02FED6F0 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                          • Instruction ID: 829a7f0a061d0ea8fe889aaf579c375ee4c3555b85b4b299a2bab8bed2edc6c1
                                                          • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                          • Instruction Fuzzy Hash: E901A176B0010DAB9F15DBA6CE45CAF7BBDEF85A88F100059AB12D3240E770EE01CB60
                                                          Function 02F34690 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7d0e2f863a0ca008afa13dc97bbb6d5fb52d5c86efac7f071e05da60fc857c56
                                                          • Instruction ID: fc1e1f1aed1ea2698947b720a5714600c360a9b17fb22230038ada3c8c56bbee
                                                          • Opcode Fuzzy Hash: 7d0e2f863a0ca008afa13dc97bbb6d5fb52d5c86efac7f071e05da60fc857c56
                                                          • Instruction Fuzzy Hash: A311E136601748AFDB26CF59D884F567BB9EB86BE8F004119FA04DB290C770E800CF60
                                                          Function 02F66620 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1e0d0c7c9dccdcd9abcd7e1e449ead0cd0ef728fc10cd7f73c65f2c58de7cec5
                                                          • Instruction ID: 19474a91adb1e2a2eb459ef97ffd3cc48a469249e63cfa91011ba27b34c82d65
                                                          • Opcode Fuzzy Hash: 1e0d0c7c9dccdcd9abcd7e1e449ead0cd0ef728fc10cd7f73c65f2c58de7cec5
                                                          • Instruction Fuzzy Hash: 5411C672D00615ABCB22EF59ED84B6EF7BDEF88794F600054DA01AB200D775AD018F50
                                                          Function 02F27330 Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: db1ec236ae45e0390a18dbe291e7665090f5d81dadfbe6bf8b38383a95e39ada
                                                          • Instruction ID: 0950d4e520f2efb57d95b24e9a6766479046dd076c3262bc0ff4f90e9117a147
                                                          • Opcode Fuzzy Hash: db1ec236ae45e0390a18dbe291e7665090f5d81dadfbe6bf8b38383a95e39ada
                                                          • Instruction Fuzzy Hash: CB11C272A01724DFD721DF65C955BABB7E8EF45388F014429EA85CB210D775EC04CBA1
                                                          Function 02F5F2D0 Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1866dd226dd5de174ae3704bbb88b252aee3440d0accb2c7a91ae5455858948a
                                                          • Instruction ID: b8a36bd404134b258bd6ff31ebfd1f46219116c7998b00c7db8c374b71234b8d
                                                          • Opcode Fuzzy Hash: 1866dd226dd5de174ae3704bbb88b252aee3440d0accb2c7a91ae5455858948a
                                                          • Instruction Fuzzy Hash: 3111C2B2A006489BD720DF69DC44FAEBBB8FF45B84F1444BAEA01E7641DB79D901CB50
                                                          Function 02FC72A0 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                          • Instruction ID: 8e30310ed15abdb867771844461ffc572a0f5cee7d24a547bb917ed957776c45
                                                          • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                          • Instruction Fuzzy Hash: A7019E7214050ABFE711AF66CD80EA2FB6EFF947D5B60052AF750425A0C721ACA0CFA4
                                                          Function 02F2A250 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                          • Instruction ID: 5f7e3c1f464df464b5d38b6c2e277be27a21896f19f52981fb2eb9888bf45297
                                                          • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                          • Instruction Fuzzy Hash: C401D6729057219BCB308F15D840A367BB6EF56BA0711892DFE958B6C0D731D404CB60
                                                          Function 02F36259 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a6cfd51cc43093d12346ba0f1150f703642a9f25d09ae23d9906f37adf001d36
                                                          • Instruction ID: 56f1841c409655d22a86cecc4cf8e5564447323c477db5a25933c52cd8a310cb
                                                          • Opcode Fuzzy Hash: a6cfd51cc43093d12346ba0f1150f703642a9f25d09ae23d9906f37adf001d36
                                                          • Instruction Fuzzy Hash: 34115A71A41228ABDF25AB68CC42FE9B2B9FB04750F5041D5A718A60E0DB709E81CF88
                                                          Function 02FAE1D0 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d1c669c5bdee208198c2dd2800f1beda942412bccc05f3e0c087aed0a1b31b32
                                                          • Instruction ID: 6ccf83f760618ac5289aa6409cd1c6730365f81997a6c639f284e92b075749ea
                                                          • Opcode Fuzzy Hash: d1c669c5bdee208198c2dd2800f1beda942412bccc05f3e0c087aed0a1b31b32
                                                          • Instruction Fuzzy Hash: AE118B32641240EFCB16EF18CD90F16BBB9FF48B84F2000A5EA059B6A1C675ED01CA90
                                                          Function 02F3208A Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                          • Instruction ID: 27faa4c312b04462f02a55b5be70f576b160b66870beeeaa9d73e744a0205cd3
                                                          • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                          • Instruction Fuzzy Hash: 14012473A002108FDF12AA29D880BA6B766BFC4B80F5541A5EF018F249EB71CC81C7A0
                                                          Function 02F720F0 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 01788c392a6b1ea964fafe914b0d06c2c6df10f12fc2d368202478bc53a1fd8a
                                                          • Instruction ID: 8c796424082af3c8a293003c212affb8e697014781e3a51ca9ed6fdf0d132df6
                                                          • Opcode Fuzzy Hash: 01788c392a6b1ea964fafe914b0d06c2c6df10f12fc2d368202478bc53a1fd8a
                                                          • Instruction Fuzzy Hash: C5115B71A0120CABEB05EF64CC50FAE7BB6AB48784F10405AEA0197290DA75AA11CF90
                                                          Function 02F2C020 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                          • Instruction ID: 090b1c31774fa4178215061e37ae6335c264aefff59d1ffea03326d80cf2a7a0
                                                          • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                          • Instruction Fuzzy Hash: 8401F5326007049FDB22E666C800BABB7EAFFC57D4F05441AAB46CB680DF70E405CB50
                                                          Function 02F29353 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                          • Instruction ID: 88c3a54e72db4d07d726ab275d24cd0da0b4e6630e7331b3ee7de6ff3b115ebe
                                                          • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                          • Instruction Fuzzy Hash: F2118B32900A219FD7219F15C980B22B7E9BF417A6F25886DD6994B5A5C7B5EC80CB10
                                                          Function 02F533A5 Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                          • Instruction ID: 27006bfed2cc932d6b3e2ba8553a5cab7e6aa0b7a0b93c4f171e6c3354f7bb14
                                                          • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                          • Instruction Fuzzy Hash: A4018632700125A7CB12DA9EDE44E5F7E6DDF846C4B1544A9BF16DB160EA30DD01C760
                                                          Function 02F6D1D0 Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                          • Instruction ID: 479bef41b6b12b613d4d7651ff3c2456237df407f4979b7f9d296a81560b5d80
                                                          • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                          • Instruction Fuzzy Hash: C301F7B6B012449BD711DA54ED08FB573A9EFC57A4F104156FF158B2C0DB74D901CB91
                                                          Function 02F2826B Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a6bc6a4e68ec10747f63d4488226b6ae68929ffeea7f2d2ce7a948530360ae72
                                                          • Instruction ID: 73d2a58440581afd321bffbd718e7d5585e5eb6c5397525e6bb2eaa4c38aae46
                                                          • Opcode Fuzzy Hash: a6bc6a4e68ec10747f63d4488226b6ae68929ffeea7f2d2ce7a948530360ae72
                                                          • Instruction Fuzzy Hash: 6201F732B01518DBC714EB66DC10AAFB7B9EF413D4B194069DB06AB680EE30DD05CBA0
                                                          Function 02F4E016 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                          • Instruction ID: 937d97e38ac5ef08ecbfd410e6e1b25c5475683073f356ba8666290ba922ad69
                                                          • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                          • Instruction Fuzzy Hash: 48017C326005849FD322971DC948F36BBECFF45BD4F0904A1FA15CB691DBA8EC40C621
                                                          Function 02FEF367 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a9e9bc4d78e8e958b6967aaf208771735f9f6854b97b6d16ea6a5085514adac5
                                                          • Instruction ID: af77cfb445aa202f4ae1e2e40c8cfe0444c18bc6341479de07f6c63a0bee796a
                                                          • Opcode Fuzzy Hash: a9e9bc4d78e8e958b6967aaf208771735f9f6854b97b6d16ea6a5085514adac5
                                                          • Instruction Fuzzy Hash: EC018471A10258EFDB10EFA5DC05FAEBBB8EF44744F004066B601EB280DAB8D900CBA5
                                                          Function 03005636 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0fca7d7b47ae54ac15d6e6544b7de67ea1244f58492d8fd62e73394ab02f968b
                                                          • Instruction ID: e9282722b35190481642f05cd9a07af3348c94ea0cdfbd3d81d5f14990a2d23b
                                                          • Opcode Fuzzy Hash: 0fca7d7b47ae54ac15d6e6544b7de67ea1244f58492d8fd62e73394ab02f968b
                                                          • Instruction Fuzzy Hash: 01116D74D10249EBDB04DFA8D840A9EB7B4EF18704F14845AB915EB380D674DA02CF65
                                                          Function 02FF972B Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                          • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                          • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                          • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                          Function 02F2C310 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                          • Instruction ID: 43003f6226b41ddc16b4da75c5de513e0ad626cb138f90622de6b8abca428e88
                                                          • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                          • Instruction Fuzzy Hash: AEF0FC33644A329BC73256594D40B6FB5968FC7BE4F1B0437E3099B244CA648C0997D4
                                                          Function 03005152 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7247ea7e3acdba16be624cb0184b9ee40219a15a525f23b16c22ed985c5e35c5
                                                          • Instruction ID: 65bbe6a54125138a0c24374a30d872612b30588488d56e14c7884518c59e8970
                                                          • Opcode Fuzzy Hash: 7247ea7e3acdba16be624cb0184b9ee40219a15a525f23b16c22ed985c5e35c5
                                                          • Instruction Fuzzy Hash: 51012CB1A1120DABDB00DFA9DD419EEBBF8FF49744F14405AFA01E7380D674AA018BA5
                                                          Function 02F5C073 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                          • Instruction ID: ba5c280e4b9486ad9dacc7daae2f8aa94bcb2a666b96fb4b4b47d714a2cca2f4
                                                          • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                          • Instruction Fuzzy Hash: DAF0C2B2A00620ABD324DF4DDC40E57FBEADFC0B80F048129AA05C7220EA71DD04CB90
                                                          Function 03005060 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c29b9228b2abd24f3be1e6be27d24e3ce63d56df7e5ff0489f93f9b6352d684
                                                          • Instruction ID: 28760c020b2aec305b415f4308dfa0f8a1c2f63595cb1c59bf8b46952b4192a2
                                                          • Opcode Fuzzy Hash: 6c29b9228b2abd24f3be1e6be27d24e3ce63d56df7e5ff0489f93f9b6352d684
                                                          • Instruction Fuzzy Hash: BE017CB1A0120DABDB00DFA9D9419EEBBF8EF48340F10405AFA01E7381D674AA018BA1
                                                          Function 030050D9 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0fce5a555cf03acb365e916a78b18b642efa2e201527eba5aa804cbd721f7d93
                                                          • Instruction ID: a28ba3355eba701bc4ba46f6db3b2c37ff4a03618e54a1a5e39a7c0249e90904
                                                          • Opcode Fuzzy Hash: 0fce5a555cf03acb365e916a78b18b642efa2e201527eba5aa804cbd721f7d93
                                                          • Instruction Fuzzy Hash: 39012CB1A0120DABDB00DFA9DD419EEBBF8EF49744F50405AF601F7380DA74A9018BA5
                                                          Function 02F65734 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                          • Instruction ID: fa486301d7d84f3d4824ee0a8e6e7a594a625911732e0c81b5f09fee1298ae84
                                                          • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                          • Instruction Fuzzy Hash: FFF0FF72A01218AFE329CF5CC884F6ABBEDEB45694F054079DA00EF230E771DE04CA94
                                                          Function 02FEF78A Relevance: .0, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dfe5e391855bf34f1671144ff327dd2c2645145f0c045b94087c9c888c4bd7f0
                                                          • Instruction ID: bac992223d0d81cd517b04b4e4d999d7aa66a2b11f6dc8f8f4b6d038f94bd5fc
                                                          • Opcode Fuzzy Hash: dfe5e391855bf34f1671144ff327dd2c2645145f0c045b94087c9c888c4bd7f0
                                                          • Instruction Fuzzy Hash: 380100B5E0064DAFCF04DFA9D945A9EBBF4EF08344F10415AA916E7341E674DA00CB51
                                                          Function 02FEF2F8 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0d0aad80c8f44228e3f4908e40fcfd0303922dcd60ca8b7cacc39ab934e5a8b9
                                                          • Instruction ID: 20d36c0e7ddd37f736b39e257265fcf99cd80712dbdea7d6d1536df6f9fe5b3f
                                                          • Opcode Fuzzy Hash: 0d0aad80c8f44228e3f4908e40fcfd0303922dcd60ca8b7cacc39ab934e5a8b9
                                                          • Instruction Fuzzy Hash: 65F0A472F10248AFDB04DBB9C805AAEB7B9EF44750F00809AE601E7280DA74D9018B61
                                                          Function 030061E5 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b4257af23d2178c68a4e6dbf31cb43bc777037789dae41f00b92c16c9aa452f2
                                                          • Instruction ID: 055d2c6e642354e2e9cb3e8fe86b923c39506f51502412235cca39cf6495d73e
                                                          • Opcode Fuzzy Hash: b4257af23d2178c68a4e6dbf31cb43bc777037789dae41f00b92c16c9aa452f2
                                                          • Instruction Fuzzy Hash: 30018F71A0125CEBDB00DFA9D841AEEBBF8EF48350F14005AF501A7380DB78EA01CBA5
                                                          Function 02F6724D Relevance: .0, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                          • Instruction ID: cc821943de17d40ecd996596d52326487f0f84c66ba2afc48e6ad66aa56f811a
                                                          • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                          • Instruction Fuzzy Hash: A6F0F676E022556BEB10E7A98944FBBF7A9EF80798F088196BF0197181DB30E940CE50
                                                          Function 030053FC Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 73d6fc51448eebca35f2d917d2be5d865298971aced0411c2d9f14468a5d95bb
                                                          • Instruction ID: 024d3bf0dbe2a9def6840c70813693c8c0c979515f113bc7c9426ec641613f2d
                                                          • Opcode Fuzzy Hash: 73d6fc51448eebca35f2d917d2be5d865298971aced0411c2d9f14468a5d95bb
                                                          • Instruction Fuzzy Hash: A6011E70E01209DFDB44DFA9D945B9EF7F4FF08344F1482AAA519EB381EA749A408F91
                                                          Function 02F2C0F0 Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6534ad2de02a443ee7f919abe2d639843ad3ab5c0fdf626590cb5cbd7321d881
                                                          • Instruction ID: 5ab6bc9236be4d27215f5f96709da315f1062e782c22cc0e58dd179052f7a52f
                                                          • Opcode Fuzzy Hash: 6534ad2de02a443ee7f919abe2d639843ad3ab5c0fdf626590cb5cbd7321d881
                                                          • Instruction Fuzzy Hash: D2F024727042305BF310A6199C42B7B729AEBE17D0F26806BEB058B3C0EB70EC05C394
                                                          Function 03003749 Relevance: .0, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                          • Instruction ID: c3af57f56fbaa65909c27faf109f673dd9ae4cefa729177350c957b87f3427a2
                                                          • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                          • Instruction Fuzzy Hash: 52F04FB6940204BFE721EBA4CD41FDAB7FDEB04750F100566AA16D61D0EA70EA44CF90
                                                          Function 02FD437C Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                          • Instruction ID: c4b5734c505c8b16a870943139bebb946232dc3a0a5fc6231c526c90ad446109
                                                          • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                          • Instruction Fuzzy Hash: 79F0E932B41A1247DB35EA6DE820B2EB297AF90AC4B0D052C9701CB640DF70D801DB90
                                                          Function 02F292FF Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cdcab4d4bd2e5f1126f5d4575ad97aea69fea08da8662a8749115b95893eaec4
                                                          • Instruction ID: f601fb26a35fc17e4223a30daa323ca063a7759dfa1366d2ad0e60912b78f6d4
                                                          • Opcode Fuzzy Hash: cdcab4d4bd2e5f1126f5d4575ad97aea69fea08da8662a8749115b95893eaec4
                                                          • Instruction Fuzzy Hash: E2F0F032100240ABC731AB09DD04F9ABBEDEF85740F280119AA4283090C7E0A908CB50
                                                          Function 02FEF3E6 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6d84f660bdbd15c404ef540afab9bf1959718832fc3bef687adc009db01316ed
                                                          • Instruction ID: 5a4a0bc0ee3c9dcde05beb096d9c538a693000192f2c59c63829dd2a22da42c9
                                                          • Opcode Fuzzy Hash: 6d84f660bdbd15c404ef540afab9bf1959718832fc3bef687adc009db01316ed
                                                          • Instruction Fuzzy Hash: 7AF03C71E01248EFCB04EFA9D945A9EB7F4FF48344F50406ABA45EB381DA74EA01CB55
                                                          Function 02FEF6C7 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a1946b68d4628759a48541cd6e00611edf0f497a0bacc3dcc594ecc3848aaac8
                                                          • Instruction ID: b67cd57563f72a0e3e84c9d90dfbc75047d7caf96b9cf19f40d9c93ff70eaa2f
                                                          • Opcode Fuzzy Hash: a1946b68d4628759a48541cd6e00611edf0f497a0bacc3dcc594ecc3848aaac8
                                                          • Instruction Fuzzy Hash: BDF06271A1024CEBDB04EFA9D805E9EB7F5AF08344F004059E601EB281DA74D900CB54
                                                          Function 02F347FB Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dd9469940ac6de186f2548fa8d97b53c1c42922693ff78c9ea193757529ee761
                                                          • Instruction ID: 443eeb9064b8d7ff3155e02879a7c1f078f9683aeed8e404b1150567ad9dade2
                                                          • Opcode Fuzzy Hash: dd9469940ac6de186f2548fa8d97b53c1c42922693ff78c9ea193757529ee761
                                                          • Instruction Fuzzy Hash: 59F0BE3AE127E09FD733CB68C444F62B7D49B00BE4F0C89AAD79987541C764D881CA50
                                                          Function 02FF0115 Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6d8e25af952ea199982e648cfa84ef6b049cc5f67f7145e692718f528a1f0852
                                                          • Instruction ID: 7af24b966b26ee578dba91fceff5a76371ab7554a7d0b4936dfc5bdf8f2bfb94
                                                          • Opcode Fuzzy Hash: 6d8e25af952ea199982e648cfa84ef6b049cc5f67f7145e692718f528a1f0852
                                                          • Instruction Fuzzy Hash: 9BF0273A8176C806DF726B28B8903917F5D9B52294F29108DCBA25721BCEB98483CB20
                                                          Function 0300539D Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0ad71b8e15d5886b333ee0d0189ddffb644ece1eae22fb46f0dfa6c1543b238f
                                                          • Instruction ID: 33b4840a2078b29d9e235ce8811afba8ccb79990df84f6a6539f9912865e242e
                                                          • Opcode Fuzzy Hash: 0ad71b8e15d5886b333ee0d0189ddffb644ece1eae22fb46f0dfa6c1543b238f
                                                          • Instruction Fuzzy Hash: 57F05470A1524CAFDB04EB79D945E5DB7B5EF08744F108499E601EB281DA74D901CF25
                                                          Function 03005283 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78ddd97f1f318dba9d3101db8979c18cc67b69047d134269aeb6b845f81c8d32
                                                          • Instruction ID: 515db3cf26ef44492836c222bf086a83ae44ad9873c5858e1ec902461d570ce6
                                                          • Opcode Fuzzy Hash: 78ddd97f1f318dba9d3101db8979c18cc67b69047d134269aeb6b845f81c8d32
                                                          • Instruction Fuzzy Hash: DBF0BE70A11208EBEB04EBA8D901EAEB7F4BF08300F104499A501EB2C1EA78E9008B54
                                                          Function 030052E2 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 20d55d6db054a8bf4f75395ea300811abcf37b40486d96c8655c184bba22e34d
                                                          • Instruction ID: a0e250fc5673b49b02c0584a0bfe2ee7d99bde3188ee5f00841163cb9fd39518
                                                          • Opcode Fuzzy Hash: 20d55d6db054a8bf4f75395ea300811abcf37b40486d96c8655c184bba22e34d
                                                          • Instruction Fuzzy Hash: EDF0BE70A10248ABDB04EFB9E901E6EB7B4AF08304F144499A501EB2C0EA78E900CB18
                                                          Function 02F72619 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                          • Instruction ID: 0f589e4bc605f6bc617dbff6345416ff7ce9098bef23ad175d5985dd3ea24616
                                                          • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                          • Instruction Fuzzy Hash: A5E0D8723006002BD711AE59CCC0F477B6FEFC2B50F04007BBA045F251CAE2DC098AA4
                                                          Function 03005341 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 786ac5b24977d2b140038da99c9d72385bfb5224028e85faa605f577568170f3
                                                          • Instruction ID: 482ed1b84a9c2896691b0192b275afce54d79e91c3c71227a6253d290ad5233b
                                                          • Opcode Fuzzy Hash: 786ac5b24977d2b140038da99c9d72385bfb5224028e85faa605f577568170f3
                                                          • Instruction Fuzzy Hash: FAF0A7B0A0524CEBDB04EBB9DD45E9EB7F4EF09344F540499F502EB2D0EA74D9008B19
                                                          Function 02F67208 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d72f413d11617f39c92b891f92c52e8c0a91fe44b9fe0b3a64aa2689178e3ffc
                                                          • Instruction ID: 5db255cd4523ab19763e91dbd1224c1cb5ccc411569d3766ae129e1841d15b43
                                                          • Opcode Fuzzy Hash: d72f413d11617f39c92b891f92c52e8c0a91fe44b9fe0b3a64aa2689178e3ffc
                                                          • Instruction Fuzzy Hash: 85F020B2E116849FDB22D319C5D4B22B7D9DF00BF4F088160D6098B701C3A8C880C690
                                                          Function 03005227 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 30d961e5f8f5890787e0befce9deed30c752f9b4b179b9bae4245da5c76a143a
                                                          • Instruction ID: 261cb5c74fde8efaa7aaa5204ca2463cb4a343fc06afe16c0ee6e397b6795a24
                                                          • Opcode Fuzzy Hash: 30d961e5f8f5890787e0befce9deed30c752f9b4b179b9bae4245da5c76a143a
                                                          • Instruction Fuzzy Hash: 85F0A770A15248EBDB14EBB8DD05E6EB7F8EF04744F140499BA01EB2C1EA74D900CB59
                                                          Function 02FAD070 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                          • Instruction ID: e450f8dc14392bec6f0889de2d26ebe12d98a681ae0f906ca5935f01e6977dd3
                                                          • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                          • Instruction Fuzzy Hash: 7AF0E53350461467C230AA1D8C05F5BFBACDBD5BB0F20435ABB249B1D0DA70AA01CBD6
                                                          Function 030051CB Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ba4fb2525adb8a0e210b319d21699e0acc024b94cb423cda7b2b8f9d6b988a78
                                                          • Instruction ID: 7ad49a4fa6ffd1bb83c54d02025c2668b2c06cc05fc2f8b7a0f8977f734135a8
                                                          • Opcode Fuzzy Hash: ba4fb2525adb8a0e210b319d21699e0acc024b94cb423cda7b2b8f9d6b988a78
                                                          • Instruction Fuzzy Hash: CCF082B0A1524CEBEB04EBA8DD05E6EB7B4EF04744F140459BA01EB2C1EA74E900CB59
                                                          Function 02FEF72E Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ff9e1e2f71b27bf27bd707baefe77b034c65b03125ade524d97c60300f4e860c
                                                          • Instruction ID: 5c0417444b315e58d181abcb5ba336e9402a496d497a57ae01df8173c525c7b7
                                                          • Opcode Fuzzy Hash: ff9e1e2f71b27bf27bd707baefe77b034c65b03125ade524d97c60300f4e860c
                                                          • Instruction Fuzzy Hash: 03F08271A1124CABDF04EBA9D956E9E77B4EF08744F100099E602EB280D974D9018B19
                                                          Function 030037B6 Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                          • Instruction ID: cd8ffdb9e826146fffcf2cb95ff2bea706989d4900099f7aad28df73ca62e8ec
                                                          • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                          • Instruction Fuzzy Hash: A3E06D72211200AFE765DB58DD05FA673ECEB04760F140298B619930D0DAB0AE40CB60
                                                          Function 02FB4000 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                          • Instruction ID: 2426aa0769d21f0c09b0032e8d6293af8e8a311c086aa0b8a1522fb65836ce07
                                                          • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                          • Instruction Fuzzy Hash: 92E0C2347003058FD716CF1AC150BA277B6BFD5A94F28C068A9488F206EB32E842CB40
                                                          Function 02F2823B Relevance: .0, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                          • Instruction ID: 7f33e6a49a47f32a2a224547c76ada063df5fcbbd4c1277efa5e371c24e9d9dd
                                                          • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                          • Instruction Fuzzy Hash: 05E08C32500A20EFDB312E25DC00B527AA2FB45BD0F20482AE3810A4A487B0AC85DF64
                                                          Function 02FEB3D0 Relevance: .0, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                          • Instruction ID: 60774a7c02655ba93773650061730fc1346e2fd8b1770e8605cacb951156fabf
                                                          • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                          • Instruction Fuzzy Hash: CEE0C232284214BBDF236E40CD00F69BB56EF507E4F204032FB096AA90CAB1AD91DAD4
                                                          Function 02FB92BC Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 00671bfafc74accdb46c96351605d070bc0a585c369b360b1c2f43edbfbae6bf
                                                          • Instruction ID: 3b87bf2387862411aa73459d14d4f066664e2e69fe48025edbfa1f632bc8ca80
                                                          • Opcode Fuzzy Hash: 00671bfafc74accdb46c96351605d070bc0a585c369b360b1c2f43edbfbae6bf
                                                          • Instruction Fuzzy Hash: C5F0E535A52B84CFE72BDF09C1E2B9173B9FB55B84F500498D5468BBA1C73AA942CF40
                                                          Function 02F32050 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 349c52cd976c472e32b681fe0dda67d310faf37edf1563b9f83841d6d835507e
                                                          • Instruction ID: e4cd99293007fb86c1f4dd063902baa150e356e3bf3468c353c9d435f65743e5
                                                          • Opcode Fuzzy Hash: 349c52cd976c472e32b681fe0dda67d310faf37edf1563b9f83841d6d835507e
                                                          • Instruction Fuzzy Hash: 94E0C2321015546BC322FB5DED10F4A779FEFA43A0F100121F250876D0CB65AD40CB94
                                                          Function 02F2A0E3 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                          • Instruction ID: 13f6df752b8bc078e4e3cfd93c15c308f602b03bde198e24e4c6fc3b52522c34
                                                          • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                          • Instruction Fuzzy Hash: F3D0223331603093CB28A6606C00F637906DB82AE4F1A006C3A0AD3800C9048C82CAE0
                                                          Function 02F402A0 Relevance: .0, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                          • Instruction ID: ba173c969b76736b9a28960da761ed13f5343b6a998b89e51b77a20e81669726
                                                          • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                          • Instruction Fuzzy Hash: 9FD09235A12A80CFD61A8B08C5A4B2633A4BB44A84F8104A4EA01CBB61DBA8DA40CA00
                                                          Function 02FB930B Relevance: .0, Instructions: 12COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                          • Instruction ID: 0053e6e9615556340b5152dc33065939b1f9e7990a019d52689a39f8b64ba977
                                                          • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                          • Instruction Fuzzy Hash: B7D05E35945AC4CFE727CB08C165B907BF8FB05B80F890098E14247BA2C3BC9984CB00
                                                          Function 02F50310 Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                          • Instruction ID: 38003e838c2ca83d34aa5f6b68e95454461ef902f020d768d27f640dbcf9f3e3
                                                          • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                          • Instruction Fuzzy Hash: FCD01236100248EFCB01DF41C890D9A772BFBC8750F148019FE19076108A31ED62DA50
                                                          Function 02F30750 Relevance: .0, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                          • Instruction ID: d5d5cde02008cbe2589023b1c1aeb46d8bf800a3411c4081ade0e08d3974a3a5
                                                          • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                          • Instruction Fuzzy Hash: 50C04C75B015458FCF15DB19D694F4577F4F744780F1508D0FA05CB721E764E801CA10
                                                          Function 02F74340 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8e6c4b2dad6fe39c60f99da57144b7c871ceae6204449e7be48d36f9f05516cb
                                                          • Instruction ID: 777d981f97b8b7257922a93e69f8959dd38c7a904757295b24d318f0be91a540
                                                          • Opcode Fuzzy Hash: 8e6c4b2dad6fe39c60f99da57144b7c871ceae6204449e7be48d36f9f05516cb
                                                          • Instruction Fuzzy Hash: A0900231605804229240715888C4547800697E0381B95C011E1424558C8A248A565361
                                                          Function 02F73090 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: deb7af9c00dac58ca52390c133ac547cf6b898dd61cfd5b7c18ba37979733172
                                                          • Instruction ID: 2ec827d1416397d9b3653746a674298f162e4c4be5219b336489810e44231be3
                                                          • Opcode Fuzzy Hash: deb7af9c00dac58ca52390c133ac547cf6b898dd61cfd5b7c18ba37979733172
                                                          • Instruction Fuzzy Hash: 4090022124140C12D2407158C4547074007C7D0781F95C011A1024558D86268A6566B1
                                                          Function 02F73010 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 94de1fc34cc30330f543dc8d0149090964a4341ad5408d246f4621aebf694c9b
                                                          • Instruction ID: 263445fbb85ad83505efdede67ff74b671ecd70ca776e2bc9abc27bf39e2772f
                                                          • Opcode Fuzzy Hash: 94de1fc34cc30330f543dc8d0149090964a4341ad5408d246f4621aebf694c9b
                                                          • Instruction Fuzzy Hash: F690022120184852D24072588844B0F810687E1382FD5C019A5156558CC92589555721
                                                          Function 02F74650 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 816ea3f447afcd5de6a1eead59c5078550c43d8356162782cf0ba85b73678103
                                                          • Instruction ID: bce978c43bf327ac4a78a9d8f06be3e961c393fd1c64ebbec8753293c373e851
                                                          • Opcode Fuzzy Hash: 816ea3f447afcd5de6a1eead59c5078550c43d8356162782cf0ba85b73678103
                                                          • Instruction Fuzzy Hash: FD90026160150452424071588844407A00697E13813D5C115A1554564C862889559269
                                                          Function 02F72AF0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6d8066958ec5d33947a271faead141de5f22f97475ae26f06bc2b9b5b576a831
                                                          • Instruction ID: 467f8326452664790409cb816fcc3f282507ba5bfbff0a768b7bfc9ca2dccff4
                                                          • Opcode Fuzzy Hash: 6d8066958ec5d33947a271faead141de5f22f97475ae26f06bc2b9b5b576a831
                                                          • Instruction Fuzzy Hash: ED900225221404120245B558464450B444697D63D13D5C015F2416594CC63189655321
                                                          Function 02F72AD0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0a9febc0e69dcf3f76628fde6d5b3d017c86e2e3f18cf3a5c45ca8f69387639f
                                                          • Instruction ID: 6330ff6fc068b81104099ac12376f7e5c912010efb42bd8268ee8a28821eb004
                                                          • Opcode Fuzzy Hash: 0a9febc0e69dcf3f76628fde6d5b3d017c86e2e3f18cf3a5c45ca8f69387639f
                                                          • Instruction Fuzzy Hash: 70900435311404130305F55C47445074047C7D53D13D5C031F3015554CD731CD715131
                                                          Function 02F72AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: de562327d895bec0d0dce3c26709fd69112d5a2fc62a5e630954350255b37762
                                                          • Instruction ID: e5dbecbaa40eff2e1261a3919e247344876bdd5e685eed897af17907ddacc7c2
                                                          • Opcode Fuzzy Hash: de562327d895bec0d0dce3c26709fd69112d5a2fc62a5e630954350255b37762
                                                          • Instruction Fuzzy Hash: 299002A1201544A24600B258C444B0B850687E0381B95C016E2054564CC53589519135
                                                          Function 02F72BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7ffb3400f1ae9f5e9d499d8dafce0cdb41081b8570d6dbd76fe9f01e41d6e60a
                                                          • Instruction ID: 293596ec0dc22d00f7082bb0d727e16972194c2a445f3c4e100740077e77aeb0
                                                          • Opcode Fuzzy Hash: 7ffb3400f1ae9f5e9d499d8dafce0cdb41081b8570d6dbd76fe9f01e41d6e60a
                                                          • Instruction Fuzzy Hash: 4F90023120140C12D2807158844464B400687D1381FD5C015A1025658DCA258B5977A1
                                                          Function 02F72BE0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b6a4d3fc9a901c2d679826113756a3f84807cafcdc2cc8b0d1bf7a7c05d9b9b9
                                                          • Instruction ID: 950661c4d26de2a8321406531e552750b107b6f00885041f66e7480097c72602
                                                          • Opcode Fuzzy Hash: b6a4d3fc9a901c2d679826113756a3f84807cafcdc2cc8b0d1bf7a7c05d9b9b9
                                                          • Instruction Fuzzy Hash: 5990023120544C52D24071588444A47401687D0385F95C011A1064698D96358E55B661
                                                          Function 02F72BA0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ec1e8f11550ce4e916c578dee65c38011d352d98998bd6a79d7dad14802f259f
                                                          • Instruction ID: 83c7ecafb7dce67982fb0ee1e7418d246be938c37a19d5d2cdd919b3257ae217
                                                          • Opcode Fuzzy Hash: ec1e8f11550ce4e916c578dee65c38011d352d98998bd6a79d7dad14802f259f
                                                          • Instruction Fuzzy Hash: 4890023160540C12D25071588454747400687D0381F95C011A1024658D87658B5576A1
                                                          Function 02F72B80 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b0fac7dfe72bd4b4ec669b6d74bc895802b8f2d42a783e8f23a9ef1a964fb9ca
                                                          • Instruction ID: ddbfa930810c4575a41dc5ee30c7d5e8dd8716c4c4c55561ce8a5119354d5096
                                                          • Opcode Fuzzy Hash: b0fac7dfe72bd4b4ec669b6d74bc895802b8f2d42a783e8f23a9ef1a964fb9ca
                                                          • Instruction Fuzzy Hash: 7F90023120140C12D20471588844687400687D0381F95C011A7024659E967589917131
                                                          Function 02F739B0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4e0dab24060af936d7f3611d291dc92ce989ccbddcba25208c05fb2c679ff98c
                                                          • Instruction ID: 5267f6294e82b2be66da60b6db72b95d758cf5be2e075d8b945060a99c6e3bc8
                                                          • Opcode Fuzzy Hash: 4e0dab24060af936d7f3611d291dc92ce989ccbddcba25208c05fb2c679ff98c
                                                          • Instruction Fuzzy Hash: 5E90022124545512D250715C84446178006A7E0381F95C021A1814598D856589556221
                                                          Function 02F72EE0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9646e1f42911e763ed1df01795400eabe043cbedcea68684e5804eff51c4ca7b
                                                          • Instruction ID: 9485ab621b22bc75d7be221186f8e99a4c2adafd883cbe42c255be7ec2acb2e2
                                                          • Opcode Fuzzy Hash: 9646e1f42911e763ed1df01795400eabe043cbedcea68684e5804eff51c4ca7b
                                                          • Instruction Fuzzy Hash: 0390026120180813D24075588844607400687D0382F95C011A3064559E8A398D516135
                                                          Function 02F72EA0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 765523f206a148cda44ac0402bcb9ef5126093ad06c38084166f20672dff3c7c
                                                          • Instruction ID: 4a2fdb19b0abd5115330e4c11f3fca362a0d4277f691ee9065d463fd37e2e52f
                                                          • Opcode Fuzzy Hash: 765523f206a148cda44ac0402bcb9ef5126093ad06c38084166f20672dff3c7c
                                                          • Instruction Fuzzy Hash: C190027120140812D24071588444747400687D0381F95C011A6064558E86698ED56665
                                                          Function 02F72E80 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 76ac7142098ad94cd09c79c106ec0e211a82ec0b5c4bba6e721acdedfd9bd470
                                                          • Instruction ID: e6ec6445716d0cc5201552ac41459db3133a20f946cc127b3a0ba35b9e94a17f
                                                          • Opcode Fuzzy Hash: 76ac7142098ad94cd09c79c106ec0e211a82ec0b5c4bba6e721acdedfd9bd470
                                                          • Instruction Fuzzy Hash: 8990022160140912D20171588444617400B87D03C1FD5C022A2024559ECA358A92A131
                                                          Function 02F72E30 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6000688fdf554e5d47ca22c830234e1b8b70d763dc9c18963cadd576678e515d
                                                          • Instruction ID: ae6a3a0342bbe6a14892aca1bddfda12de2212ed9c1e7eb86337fc29c2e709a1
                                                          • Opcode Fuzzy Hash: 6000688fdf554e5d47ca22c830234e1b8b70d763dc9c18963cadd576678e515d
                                                          • Instruction Fuzzy Hash: 5A90022130140812D20271588454607400AC7D13C5FD5C012E2424559D86358A53A132
                                                          Function 02F72FE0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1d30de956833180121738e41d5a66d2e7f80e91669b0fb633c6a50877d20526a
                                                          • Instruction ID: d150770c63ea00edeb6ac27b7e35b988931780506cd753a4a31df31912c84ef6
                                                          • Opcode Fuzzy Hash: 1d30de956833180121738e41d5a66d2e7f80e91669b0fb633c6a50877d20526a
                                                          • Instruction Fuzzy Hash: 3A900221211C0452D30075688C54B07400687D0383F95C115A1154558CC92589615521
                                                          Function 02F72FB0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4522a7cb054b2eb74488f4cb4419fba280ef8f6c39345cf440fb0e16bdf464db
                                                          • Instruction ID: c664a66bc4b69a55de803b292a9c0a5b0e2ae98e39b5c5cc93bb64baa3aee922
                                                          • Opcode Fuzzy Hash: 4522a7cb054b2eb74488f4cb4419fba280ef8f6c39345cf440fb0e16bdf464db
                                                          • Instruction Fuzzy Hash: A99002216014045242407168C8849078006ABE1391795C121A1998554D856989655665
                                                          Function 02F72FA0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 592d573333434ff54c76b6feefb0622e5f30707c004abb97e4efbecf7d1580a8
                                                          • Instruction ID: 014c8481ed9d033626ec0f60d6a9ab7ed1649671d115eb510b854b7c8ae88a4c
                                                          • Opcode Fuzzy Hash: 592d573333434ff54c76b6feefb0622e5f30707c004abb97e4efbecf7d1580a8
                                                          • Instruction Fuzzy Hash: 7D90023120180812D20071588848747400687D0382F95C011A6164559E8675C9916531
                                                          Function 02F72F90 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c737d04a150e156af8fe72b145790d6d380bb1889f0348186e9bdfe568fbe15b
                                                          • Instruction ID: cf5164f095b21fd25ed4caca889ed82f760e53699432638f3744bb3c9263a8fb
                                                          • Opcode Fuzzy Hash: c737d04a150e156af8fe72b145790d6d380bb1889f0348186e9bdfe568fbe15b
                                                          • Instruction Fuzzy Hash: DB90023120180812D2007158885470B400687D0382F95C011A2164559D863589516571
                                                          Function 02F72F60 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 346ae33dbc9595dde14f9b83299b85ce8b07e732047857de2dee8921c9a9c115
                                                          • Instruction ID: ee48515411b593ef6910d2bbeb649bdc0809f6632f1f5f3afb3cd3a0da1f553f
                                                          • Opcode Fuzzy Hash: 346ae33dbc9595dde14f9b83299b85ce8b07e732047857de2dee8921c9a9c115
                                                          • Instruction Fuzzy Hash: 0C90026121140452D20471588444707404687E1381F95C012A3154558CC5398D615125
                                                          Function 02F72F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7ac7b521c68951d1d1b3d3569097dc821d336104472e8f5c7de928508f9c64f5
                                                          • Instruction ID: be8d6f0e2397ba7acd55e19097630d1c657647c5d0f26eea035180a3c1308dc4
                                                          • Opcode Fuzzy Hash: 7ac7b521c68951d1d1b3d3569097dc821d336104472e8f5c7de928508f9c64f5
                                                          • Instruction Fuzzy Hash: 9F90026134140852D20071588454B074006C7E1381F95C015E2064558D8629CD526126
                                                          Function 02F72CF0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78e3b2926733911ada972da393807bd88734629e85860e80f9e154d3eeca5bb7
                                                          • Instruction ID: 489e3af334b05d113b09812c9eab8159772f0f4045c5431a5d09c21b8f0432ef
                                                          • Opcode Fuzzy Hash: 78e3b2926733911ada972da393807bd88734629e85860e80f9e154d3eeca5bb7
                                                          • Instruction Fuzzy Hash: BD90023120140813D20071589548707400687D0381F95D411A142455CDD66689516121
                                                          Function 02F72CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c4a2a71024421de9bb6928e80584faf6209272573d9615bb5aa0d5093889a076
                                                          • Instruction ID: c27a7fd2d6659dc1d47dba9644662f839c5e9972acc18fedec95d6da50498bcb
                                                          • Opcode Fuzzy Hash: c4a2a71024421de9bb6928e80584faf6209272573d9615bb5aa0d5093889a076
                                                          • Instruction Fuzzy Hash: 7790022160540812D24071589458707401687D0381F95D011A1024558DC6698B5566A1
                                                          Function 02F72CA0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 35ddc65ff71134dc27f41b91ba72688ea3811831bb95fdf412e34763d5c6d942
                                                          • Instruction ID: f8c55d04676976a4f8a0fe12c7c954296afe69670706be88980c272604cd766a
                                                          • Opcode Fuzzy Hash: 35ddc65ff71134dc27f41b91ba72688ea3811831bb95fdf412e34763d5c6d942
                                                          • Instruction Fuzzy Hash: 6F90023120140812D20075989448647400687E0381F95D011A6024559EC67589916131
                                                          Function 02F72C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3833d978aed9358b95aaebd5226c3b85ba58bd06e107e60b9ce7a27e5b60cda0
                                                          • Instruction ID: 53e3dd2c38f45f97de1473147925b0259d80ce3fe2724691b16c318076f07c40
                                                          • Opcode Fuzzy Hash: 3833d978aed9358b95aaebd5226c3b85ba58bd06e107e60b9ce7a27e5b60cda0
                                                          • Instruction Fuzzy Hash: 6490023120148C12D2107158C44474B400687D0381F99C411A542465CD86A589917121
                                                          Function 02F72C60 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ee85e8988b5a1fe9753ced154ce5d56cb6587237d10ee234fb84f89cc5dc65d2
                                                          • Instruction ID: 3b1b2835c82cfeca7b1995633a10cb1b063eb0de561002f7d6f65da5571261ae
                                                          • Opcode Fuzzy Hash: ee85e8988b5a1fe9753ced154ce5d56cb6587237d10ee234fb84f89cc5dc65d2
                                                          • Instruction Fuzzy Hash: BC90023120140C52D20071588444B47400687E0381F95C016A1124658D8625C9517521
                                                          Function 02F72DD0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6a95e4eee8834769e57df19572c56c3e5009e1df467389b471e5d9bf4fc00442
                                                          • Instruction ID: 3b039ebd4e63f11507eb45e397870b9f0a44b633512dacdf8a380987a1ceb131
                                                          • Opcode Fuzzy Hash: 6a95e4eee8834769e57df19572c56c3e5009e1df467389b471e5d9bf4fc00442
                                                          • Instruction Fuzzy Hash: C3900221242445625645B1588444507800797E03C17D5C012A2414954C85369956D621
                                                          Function 02F72DB0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d9acffa3b941d46fd34969325b3d6696316e4f75731f1f6db5bef05db088315b
                                                          • Instruction ID: 7a9f2c784e4076fa2936c44fa67f3e9ab6f7e442748f3a1d2f0d24d790dd687f
                                                          • Opcode Fuzzy Hash: d9acffa3b941d46fd34969325b3d6696316e4f75731f1f6db5bef05db088315b
                                                          • Instruction Fuzzy Hash: B990023124140812D24171588444607400A97D03C1FD5C012A1424558E86658B56AA61
                                                          Function 02F73D70 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b90f533c82626eb5923dedf542d29883ce5dd20343036100f635375c1b846d9b
                                                          • Instruction ID: 8d2080def9deb3347d6915562e05402f249abde8a383b633fdd9508864394038
                                                          • Opcode Fuzzy Hash: b90f533c82626eb5923dedf542d29883ce5dd20343036100f635375c1b846d9b
                                                          • Instruction Fuzzy Hash: 6090023520140812D61071589844647404787D0381F95D411A142455CD866489A1A121
                                                          Function 02F72D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8d7e844dd12f2e80fa8743f51ac078f02b8bcce4c67bc363c1c7f2b74b334d66
                                                          • Instruction ID: 5e801efa99b769e1f3e593a3a2848e1e5fd5eb25c5843d30e341e0d747908486
                                                          • Opcode Fuzzy Hash: 8d7e844dd12f2e80fa8743f51ac078f02b8bcce4c67bc363c1c7f2b74b334d66
                                                          • Instruction Fuzzy Hash: 1B90022130140413D240715894586078006D7E1381F95D011E1414558CD92589565222
                                                          Function 02F72D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dc53474ad0d7a706614ef9ea569595c38e226ef0b0bdc140c0fca83b17ad8e46
                                                          • Instruction ID: 35b4c63025f7f4e4cedd62f7fc094acbb690ab4edf467d2c5c990896fa4aff3c
                                                          • Opcode Fuzzy Hash: dc53474ad0d7a706614ef9ea569595c38e226ef0b0bdc140c0fca83b17ad8e46
                                                          • Instruction Fuzzy Hash: 4B90022921340412D2807158944860B400687D1382FD5D415A101555CCC92589695321
                                                          Function 02F73D10 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 380f427573cc4afb4438fa162afb5f9491e28c676b5f3dcedaea93785d690bcc
                                                          • Instruction ID: b828780c6310ce29f592235413ace4139a1f4d484d0d3d2e531a88afa4c6f673
                                                          • Opcode Fuzzy Hash: 380f427573cc4afb4438fa162afb5f9491e28c676b5f3dcedaea93785d690bcc
                                                          • Instruction Fuzzy Hash: 6190023120240552964072589844A4F810687E1382BD5D415A1015558CC92489615221
                                                          Function 02F72D00 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b239f7cfa362f3967171c4158bfd5561953d9d52e9e6226e5bb2472f87c6b700
                                                          • Instruction ID: 6c803c10ddca198412d83853ab8b51d31305523223596316ed09e6af10420710
                                                          • Opcode Fuzzy Hash: b239f7cfa362f3967171c4158bfd5561953d9d52e9e6226e5bb2472f87c6b700
                                                          • Instruction Fuzzy Hash: 8D90022120544852D20075589448A07400687D0385F95D011A2064599DC6358951A131
                                                          Function 02F72C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                          • Instruction ID: 65e5256bdf13a58bb659f25a7a57238f9c057c83d9dd8f62f93113ab387b9ee0
                                                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                          • Instruction Fuzzy Hash:
                                                          Function 02F72890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                          • API String ID: 48624451-2108815105
                                                          • Opcode ID: 389922a347fcda8d403d7502f4bf903b5e26e42a43d91d3d4f8c8943a005b1b1
                                                          • Instruction ID: 9286b6efb93f2a3682e29574b405e1b32e647c43da7f7bb0eeb84047409b85b8
                                                          • Opcode Fuzzy Hash: 389922a347fcda8d403d7502f4bf903b5e26e42a43d91d3d4f8c8943a005b1b1
                                                          • Instruction Fuzzy Hash: 9151F9B6F00116BFDB10DB98CCA0A7EF7B8BB08280754816AEA95D7641D774DE44DBA0
                                                          Function 02F67630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02FA4655
                                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 02FA4787
                                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02FA4742
                                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02FA46FC
                                                          • Execute=1, xrefs: 02FA4713
                                                          • ExecuteOptions, xrefs: 02FA46A0
                                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02FA4725
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                          • API String ID: 0-484625025
                                                          • Opcode ID: f7c3ace46f104b553765f8d0b9e580fc61540b3eabf41e65eec2087fc834e4d8
                                                          • Instruction ID: 83bf79866da9da761f5e5572c7927d80a2ea43609c6191eef2c90aa1a903ec4f
                                                          • Opcode Fuzzy Hash: f7c3ace46f104b553765f8d0b9e580fc61540b3eabf41e65eec2087fc834e4d8
                                                          • Instruction Fuzzy Hash: A9510B71A0021D6AEF11BA64DC59FFEB7B9EF04388F1401A9D705A7190D771AE45CF50
                                                          Function 02F7B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID: __aulldvrm
                                                          • String ID: +$-$0$0
                                                          • API String ID: 1302938615-699404926
                                                          • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                          • Instruction ID: cca5d9ad3feccc01f6c82c67f7f591ccae7c40041cd8b011036920584a3de485
                                                          • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                          • Instruction Fuzzy Hash: 5E81A670E0524D9EDF24CF68C891BFE7BB2AF4639CF18425BDA51A7290C7349942CB51
                                                          Function 02F5F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RTL: Re-Waiting, xrefs: 02FA031E
                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02FA02E7
                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02FA02BD
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                          • API String ID: 0-2474120054
                                                          • Opcode ID: bbc892e5b967f27be236302a5b70c1f69520ef0bd79f46c0540dd6d2090e49c2
                                                          • Instruction ID: 695597eaae085119a80ef5f6ff03d4185ad8666dd827d12e641e729a991f449b
                                                          • Opcode Fuzzy Hash: bbc892e5b967f27be236302a5b70c1f69520ef0bd79f46c0540dd6d2090e49c2
                                                          • Instruction Fuzzy Hash: 0EE1D071A087419FD724CF28D894B2AB7E1BF85394F140AADFB958B6D0DB74D844CB42
                                                          Function 02F6BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RTL: Re-Waiting, xrefs: 02FA7BAC
                                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02FA7B7F
                                                          • RTL: Resource at %p, xrefs: 02FA7B8E
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                          • API String ID: 0-871070163
                                                          • Opcode ID: a08b39de8a8558ea9383663cfa65ebc69bffaa01948b49f91d2c14b83d1b25f3
                                                          • Instruction ID: b735a0115d9f78f5169e9bba4a583801c52b5586788d2f42bb93ebc6bef027cc
                                                          • Opcode Fuzzy Hash: a08b39de8a8558ea9383663cfa65ebc69bffaa01948b49f91d2c14b83d1b25f3
                                                          • Instruction Fuzzy Hash: BB41C272B017029FD724DE25CC50B6AB7E6EF88794F100A2DEA56EB690D770E405CB91
                                                          Function 02F6B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02FA728C
                                                          Strings
                                                          • RTL: Re-Waiting, xrefs: 02FA72C1
                                                          • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02FA7294
                                                          • RTL: Resource at %p, xrefs: 02FA72A3
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                          • API String ID: 885266447-605551621
                                                          • Opcode ID: 0d0978ebfbf658e7923e1227555eef8363fc950b1854dc01ce2c3e198b00a950
                                                          • Instruction ID: 4f13794b748ea3020925b1a2aa376555f96a233273bb1358f2ecf983bfb05aa3
                                                          • Opcode Fuzzy Hash: 0d0978ebfbf658e7923e1227555eef8363fc950b1854dc01ce2c3e198b00a950
                                                          • Instruction Fuzzy Hash: 3E41E372B00246ABD720DE25CD41F6AB7E5FF54794F100629FA55EB680DB20E802CBD1
                                                          Function 02F77D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID: __aulldvrm
                                                          • String ID: +$-
                                                          • API String ID: 1302938615-2137968064
                                                          • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                          • Instruction ID: 3ecdf22d0b75ef8fe04d84a217ffeef8b974157756ca3960525641be100de758
                                                          • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                          • Instruction Fuzzy Hash: 7D91A371E102169BDB24EE69C980BFEF7A5EF447A4F14461BEA65EB2C0D7309940CB90
                                                          Function 02F39126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2005075194.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_2f00000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $$@
                                                          • API String ID: 0-1194432280
                                                          • Opcode ID: b0bdf6739e1b32254684ff3fc57de4734b1a6c6b73792b808323c1d2bb16b0aa
                                                          • Instruction ID: 90893a812f4d401d58cf4182aa6af20c10aa8f3a9d212fe25e064f8e1ef12de3
                                                          • Opcode Fuzzy Hash: b0bdf6739e1b32254684ff3fc57de4734b1a6c6b73792b808323c1d2bb16b0aa
                                                          • Instruction Fuzzy Hash: 01810C72D012699BEB31DF54CC44BEEB7B4AF48754F0041EAAA19B7680D7709E84CFA0

                                                          Execution Graph

                                                          Execution Coverage:4.1%
                                                          Dynamic/Decrypted Code Coverage:98.1%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:106
                                                          Total number of Limit Nodes:7
                                                          execution_graph 5752 9981b1 5756 998075 5752->5756 5753 998186 CloseHandle 5753->5756 5754 9981ad GetTokenInformation 5754->5756 5755 9980ca GetTokenInformation 5755->5756 5756->5753 5756->5754 5756->5755 5757 9980a7 5756->5757 5821 998090 5824 998075 5821->5824 5822 998186 CloseHandle 5822->5824 5823 9980ca GetTokenInformation 5823->5824 5824->5822 5824->5823 5825 9980a7 5824->5825 5826 9981ad GetTokenInformation 5824->5826 5826->5824 5847 9957f0 5850 9955ac 5847->5850 5848 9955e9 5850->5847 5850->5848 5851 9b3870 5850->5851 5852 9b3876 5851->5852 5854 9b3893 5852->5854 5855 9b3720 5852->5855 5854->5850 5856 9a0c42 5855->5856 5856->5855 5857 99e050 VirtualAlloc 5856->5857 5858 9b37dd 5856->5858 5857->5856 5858->5854 5858->5858 5832 9952f4 5835 9952cb 5832->5835 5833 9953c4 GetSystemDefaultLangID 5834 9952b0 5833->5834 5835->5833 5835->5834 5827 9952b7 5828 9952b0 5827->5828 5830 9952c4 5827->5830 5829 9953c4 GetSystemDefaultLangID 5831 995475 5829->5831 5830->5828 5830->5829 5867 995b09 5868 995b16 5867->5868 5869 995c01 CloseHandle 5868->5869 5870 995cdf CreateThread 5868->5870 5872 995c20 5868->5872 5873 995d37 5869->5873 5870->5868 5870->5869 5874 9954a0 5870->5874 5859 9955ef 5862 9955ac 5859->5862 5860 9b3870 VirtualAlloc 5860->5862 5861 9955e9 5862->5860 5862->5861 5758 995b00 5759 995bba 5758->5759 5766 9a52c0 5759->5766 5761 995bc7 5765 995bde 5761->5765 5771 9b0080 5761->5771 5767 9a52c6 5766->5767 5770 9a52ce 5766->5770 5767->5770 5785 99e050 5767->5785 5770->5761 5777 9b0089 5771->5777 5772 9b03e0 GetComputerNameW 5772->5777 5773 9b0181 VirtualFree 5773->5777 5774 99e050 VirtualAlloc 5774->5777 5775 9b03bf GetUserNameW 5775->5777 5776 9b04d6 GetComputerNameW 5776->5777 5777->5772 5777->5773 5777->5774 5777->5775 5777->5776 5778 995c7b 5777->5778 5779 998070 5778->5779 5781 998075 5779->5781 5780 998186 CloseHandle 5780->5781 5781->5780 5782 9981ad GetTokenInformation 5781->5782 5783 9980ca GetTokenInformation 5781->5783 5784 9980a7 5781->5784 5782->5781 5783->5781 5784->5765 5786 99e0c3 5785->5786 5787 99e0d8 VirtualAlloc 5786->5787 5787->5786 5836 995860 5837 9a52c0 VirtualAlloc 5836->5837 5838 995869 5837->5838 5839 9b0080 5 API calls 5838->5839 5840 99587d 5839->5840 5841 998070 3 API calls 5840->5841 5842 995870 5841->5842 5788 995be2 5789 995bfc CloseHandle 5788->5789 5791 995be7 5788->5791 5789->5791 5792 995b42 5794 995b07 5792->5794 5794->5792 5797 995bb4 5794->5797 5799 995b68 5794->5799 5800 9952a0 5794->5800 5795 995cdf CreateThread 5796 995c01 CloseHandle 5795->5796 5795->5797 5804 9954a0 5795->5804 5796->5799 5797->5795 5797->5796 5797->5799 5803 9952ab 5800->5803 5801 9953c4 GetSystemDefaultLangID 5802 9952b0 5801->5802 5802->5794 5803->5801 5803->5802 5805 9954b5 5804->5805 5863 9955e4 5865 9955ac 5863->5865 5864 9b3870 VirtualAlloc 5864->5865 5865->5863 5865->5864 5866 9955e9 5865->5866 5811 995b87 CreateThread 5812 995b1c 5811->5812 5819 995810 5811->5819 5813 995c01 CloseHandle 5812->5813 5814 995cdf CreateThread 5812->5814 5817 995c20 5812->5817 5816 995d37 5813->5816 5814->5812 5814->5813 5818 9954a0 5814->5818 5820 995822 5819->5820 5885 995347 5886 9952cb 5885->5886 5887 9953c4 GetSystemDefaultLangID 5886->5887 5889 9952b0 5886->5889 5888 995475 5887->5888

                                                          Executed Functions

                                                          Function 009952A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 314 9952a0-9953fe 319 9d0d4c-9d0d4e 314->319 320 995400-995424 314->320 322 99539b 320->322 323 99542a 320->323 324 99539d-9953a1 322->324 325 995413-995419 322->325 323->322 326 995430-99543e 323->326 327 9952b0-9952b5 324->327 328 9953a7 324->328 329 995441-99544a 326->329 328->327 330 9953ad 328->330 334 995450 329->334 335 9953c4-9953ca GetSystemDefaultLangID 329->335 332 9953af 330->332 333 9953f3-9953f9 330->333 336 9953e0-9953f1 332->336 344 99532a 333->344 345 995355 333->345 342 995411 334->342 343 9953c1 334->343 338 995475-99547b 335->338 336->325 336->333 338->319 342->325 342->335 343->342 346 9953c3 343->346 344->345 348 99532c-99533f 344->348 349 9952e8-995363 345->349 350 9952d1-9952e7 345->350 351 99536b-99536f 348->351 356 9953d1-9953d5 349->356 357 995365 349->357 350->349 351->329 352 995375-995390 351->352 352->346 358 995392-99539a 352->358 356->324 359 9953d7 356->359 357->356 360 995367-995369 357->360 358->324 359->336 361 995342-995345 359->361 360->351 361->320 362 99534b 361->362 362->320 363 995351-995353 362->363 363->345
                                                          APIs
                                                          • GetSystemDefaultLangID.KERNELBASE ref: 009953C4
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2965615833.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                                          Similarity
                                                          • API ID: DefaultLangSystem
                                                          • String ID:
                                                          • API String ID: 706401283-0
                                                          • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                          • Instruction ID: 7e1f51885664d4502edf64c1499c77b036275aacca76b39c856f677499d9dcd5
                                                          • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                          • Instruction Fuzzy Hash: A241E55140DE95CFDF27432C48662777BA89B223E2F9F08D7D496CA0F2E19C4C819726
                                                          Function 009B0080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 9b0080-9b0286 2 9b0099-9b0575 0->2 3 9b028c 0->3 7 9b057b 2->7 8 9b0155 2->8 5 9b0445 3->5 5->2 6 9b044b-9b0457 5->6 9 9b0458-9b0472 GetComputerNameW 6->9 7->8 10 9b0581-9b0587 7->10 11 9b02ef-9b0495 call 99e050 * 2 8->11 15 9b03ee-9b03f4 9->15 16 9b024c-9b0253 9->16 13 9b058b 10->13 11->9 50 9b043e 11->50 18 9b058c-9b0591 13->18 19 9b0181 VirtualFree 13->19 37 9b00da-9b023f 15->37 38 9b03fa 15->38 23 9b01e6 16->23 24 9b0255 16->24 21 9b04ab-9b04af 18->21 22 9b0597 18->22 20 9b01a8-9b02ac call 9c7164 19->20 28 9b02b1-9b02be 20->28 48 9b04c7 21->48 22->21 30 9b059d 22->30 27 9b01ec-9b0313 call 9c715c 23->27 23->28 31 9b02d3 24->31 53 9b0318-9b031e 27->53 33 9b03bf-9b03d9 GetUserNameW 28->33 34 9b02c4 28->34 30->21 31->23 36 9b02d9 31->36 43 9b0331 33->43 34->33 44 9b02ca 34->44 36->11 37->16 51 9b0241-9b024a 37->51 38->37 45 9b0400 38->45 54 9b0171 43->54 55 9b0337 43->55 44->31 52 9bb1ee-9bb49f 45->52 59 9b04cc-9b04e6 call 9c9970 GetComputerNameW 48->59 50->5 51->16 51->28 57 9b0568-9b056b 53->57 58 9b0324 53->58 60 9b013f-9b0146 54->60 61 9b0173 54->61 55->54 56 9b033d 55->56 63 9b05d0-9b05d9 56->63 57->59 58->57 65 9b032a 58->65 70 9b04ec-9b0514 59->70 71 9b0131 59->71 60->13 62 9b0230 61->62 62->48 67 9b0236-9b05c2 62->67 63->52 65->43 67->48 74 9b05c8-9b05c9 67->74 70->57 72 9b0089-9b008c 71->72 73 9b0137 71->73 72->20 76 9b0092 72->76 73->72 77 9b013d 73->77 74->63 76->20 78 9b0098 76->78 77->19 77->60 78->2
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2965615833.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                                          Similarity
                                                          • API ID: ComputerName
                                                          • String ID:
                                                          • API String ID: 3545744682-0
                                                          • Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                                          • Instruction ID: 318193acf0547fbb5b573026f16a91d4196d427215b1f93992e386db591f7248
                                                          • Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
                                                          • Instruction Fuzzy Hash: 1AD1E43151CB0D8BC728EF58D94A7EBB7D5FBE0320F184A1ED846C7164DA789A458AC2
                                                          Function 00998070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 79 998070-99817e 81 99813d-9981a5 79->81 82 998180 79->82 97 9981bd-9981ca 81->97 98 9981a7 81->98 83 99815f 82->83 84 998184 82->84 83->81 88 998161 83->88 85 99818c-998192 84->85 86 998186 CloseHandle 84->86 89 998115-998118 85->89 90 998194 85->90 86->85 92 998163-998170 call 9c7164 88->92 94 998119-99811a 89->94 95 9980a7 89->95 90->89 96 99819a 90->96 92->86 102 998172 92->102 94->95 100 99811c 94->100 101 99813c 96->101 107 9981d0 97->107 108 9980f3 97->108 103 99820f 100->103 101->84 102->85 105 99808e-998096 103->105 106 998215-99821e 103->106 105->84 105->95 106->105 118 998224 106->118 115 9981fe-998201 GetTokenInformation 107->115 116 9980c3 107->116 110 99808c 108->110 111 9980f5 108->111 110->105 111->110 117 998077 111->117 115->103 130 9981b7 115->130 116->115 120 9980c9 116->120 121 9981d7-9981de call 9c715c 117->121 118->121 122 998226 118->122 126 9980ca-9980d8 GetTokenInformation 120->126 128 9981e3-9981e6 121->128 122->121 123 998228-9982ee call 995d90 122->123 145 99830c-99831e 123->145 146 9982f0 123->146 129 99810f 126->129 128->126 144 998089 128->144 131 99812d 129->131 132 998111 129->132 130->103 135 9981b9-9981bb 130->135 139 9980a8 131->139 140 998133 131->140 132->131 137 998113 132->137 135->97 137->89 142 9980aa-9980ad 139->142 140->101 143 9981ed-9981f0 140->143 142->92 147 9980b3-998203 142->147 148 9980da-9980f1 143->148 149 9981f6 143->149 144->126 150 99808b 144->150 154 9982a1-9982ba call 995d90 call 99ec00 145->154 155 998320 145->155 146->145 151 9982f2 146->151 147->92 158 998209 147->158 148->142 149->148 153 9981fc 149->153 150->110 157 9982f7-9982fc call 995d90 151->157 153->115 154->155 155->157 159 998322 155->159 169 998253-998265 call 9b1280 157->169 170 998302 157->170 159->157 163 998324-998326 159->163 166 998328 163->166 173 9982df-99832b 166->173 174 998335 166->174 169->166 179 99826b 169->179 170->169 175 998308-99830a 170->175 173->174 180 99832d-998331 173->180 178 99826e-998285 174->178 175->145 181 99829b-99829d 178->181 182 998287 178->182 179->178 184 998239 179->184 180->174 181->154 183 99824c 182->183 183->181 186 99824e-998252 183->186 184->166 185 99823f-998243 184->185 185->157 185->183 186->178
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2965615833.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                                          • Instruction ID: 0a4014a1951fa1c364b71e9d3b7041d8048a6752aa969b61b9256ea71c967e7e
                                                          • Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
                                                          • Instruction Fuzzy Hash: 9F61433060CA459FDF758B2C881877B7BA8FB57390F680A5EE45BC31A0DF288C468352
                                                          Function 00995B09 Relevance: 3.1, APIs: 2, Instructions: 60COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 187 995b09-995b3b 191 995cff-995d01 187->191 192 995bb4 191->192 193 995d07 191->193 194 995cda-995ce4 CreateThread 192->194 195 995c01-995d41 CloseHandle 192->195 193->192 196 995d0d 193->196 194->195 199 995cea 194->199 201 995d4b-995d52 195->201 202 995d43 195->202 199->195 203 995cf0-995cf6 199->203 204 995d45-995d47 201->204 205 995d54 201->205 202->205 203->191 206 995c20-995c68 203->206 208 995d49 204->208 209 995d5f 204->209 208->201 208->209 210 995d65 209->210 210->210
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2965615833.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                          • Instruction ID: b1c092ac289358fcd98f21ad272b8a8429bc7eb2b7edbf372381929755e1c95a
                                                          • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                          • Instruction Fuzzy Hash: 6A01927010DF468FDF67572C9C1837B77D4AB55324F2B09ABC4C7CA0D5EA684905A712
                                                          Function 00995910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 211 995910-995912 212 995950-995968 211->212 213 995915-995928 call 9c9970 211->213 212->213 214 99596a 212->214 220 9959b8 call 9b0df0 213->220 216 99592f 214->216 217 995970-99597b 214->217 216->213 219 995931-9a072c 216->219 221 99597d 217->221 222 9959d4 217->222 231 9a0732-9a0738 219->231 232 9a0806-9a0809 219->232 230 9959bd-9959c2 call 995d90 220->230 221->222 223 99597f-995981 221->223 225 9959d8-9959de 222->225 226 99593b-995a15 call 9b11a0 222->226 228 995983-995a38 223->228 240 9959e0 225->240 241 995994-99599c 225->241 228->241 243 995a3e 228->243 245 9959c7-9959ce 230->245 238 9a073e 231->238 239 9a0800 231->239 246 9a079d-9a07a6 232->246 238->239 247 9a0744-9a0774 238->247 239->232 244 9a06b3-9a06b7 239->244 240->241 257 9959e2-9959ec 240->257 254 99599e-9959f7 241->254 255 995a02 241->255 250 995a2c-995a34 243->250 244->246 256 9a06bd 244->256 251 995a1a-995a26 245->251 252 9959d0 245->252 248 9a07a8 246->248 249 9a0791-9a0793 246->249 264 9a077a-9a081c 247->264 265 9a06d5-9a06d9 247->265 248->249 260 9a07aa 248->260 267 9a07ca-9a07cc 249->267 261 9959d9-9959de call 9c2190 250->261 251->250 262 9959a1-9959b5 call 995e10 251->262 252->251 263 9959d2 252->263 254->255 255->217 256->246 268 9a06c3-9a07fe 256->268 258 9959ee-9959ef 257->258 259 995a62-995a6e 257->259 258->228 270 9959f1 258->270 273 995a70 259->273 274 995a75-995ab3 call 9b1280 259->274 260->267 261->240 261->241 262->220 285 995a08-995a0b 262->285 263->261 264->246 271 9a06db 265->271 272 9a06df 265->272 268->239 270->213 271->272 280 9a06dd 271->280 272->246 273->274 283 995a72 273->283 299 995abb-995ac9 274->299 300 995ab5 274->300 280->272 286 9ac0cc 280->286 283->274 285->241 287 995a0d 285->287 288 9ac0e8-9ac102 286->288 289 9ac0ce-9ac0d0 286->289 296 995991 287->296 297 995932 287->297 292 9ac0d2-9ac0df 288->292 293 9ac104 288->293 289->292 302 9ac0e7 292->302 293->292 293->302 296->297 301 995993 296->301 303 995af2-995af5 299->303 300->299 304 995ab7-995ab9 300->304 301->241 308 995adb-995adc 303->308 309 995ad5 303->309 304->299 310 995ae2 308->310 311 995a45-995a46 308->311 309->308 312 995ad7-995ad9 309->312 310->311 313 995ae8 310->313 312->308 313->303
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2965615833.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                          • Instruction ID: 8fceb520db467d50f50b7a6d392188be37ef6567eaa8d8ed10de84621d20dec2
                                                          • Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
                                                          • Instruction Fuzzy Hash: CAF1282171CE488FDB6A971C59513FA73D2F7DA320F99459EE04FC3296DD289C468382
                                                          Function 00995B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 364 995b42-995b47 call 995d90 366 995b4c-995b52 364->366 368 995b0d 366->368 369 995c42-995c62 call 9b1280 366->369 368->369 371 995b13 368->371 380 995c68 369->380 381 995c24 369->381 372 995c8f-995c96 371->372 374 995c29 372->374 375 995c98-995c9a 372->375 378 995c2f-995c36 374->378 379 995cc2-995cc9 call 9952a0 374->379 377 995c9c 375->377 385 995bfa 377->385 386 995d0e-995d18 377->386 378->379 384 995c3c 378->384 390 995c69 379->390 391 995ccb 379->391 387 995c14-995c19 381->387 388 995c26 381->388 384->364 385->386 392 995c00 385->392 393 995d1a 386->393 394 995d54 386->394 395 995cc0 387->395 396 995c20-995c21 387->396 388->387 397 995c28 388->397 399 995b68-995d75 390->399 400 995c6f 390->400 391->377 398 995ccd 391->398 392->387 401 995d4b-995d52 393->401 395->379 396->380 397->374 398->377 403 995ccf-995cdd 398->403 400->399 405 995c75 400->405 401->394 402 995d45-995d47 401->402 407 995d49 402->407 408 995d5f 402->408 406 995cdf-995ce4 CreateThread 403->406 405->372 409 995cea 406->409 410 995c01-995c05 CloseHandle 406->410 407->401 407->408 411 995d65 408->411 409->410 412 995cf0-995cf6 409->412 415 995d37-995d41 410->415 411->411 412->396 414 995cff-995d01 412->414 417 995bb4 414->417 418 995d07 414->418 415->401 416 995d43 415->416 416->394 417->410 419 995cda-995cdd 417->419 418->417 420 995d0d 418->420 419->406
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2965615833.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                          • Instruction ID: 73e7bccd0938c447e1933088e2ec6cb52898ce5f2e8c7f0ebe3bee80ff00ba16
                                                          • Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
                                                          • Instruction Fuzzy Hash: 8E21B23020CF458FDF6B9B2C845877766E9AB59311F5B09A68087CF2D6EA28CC44D356
                                                          Function 00995B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 421 995b87-995b99 CreateThread 424 995cff-995d01 421->424 425 995bb4 424->425 426 995d07 424->426 427 995cda-995ce4 CreateThread 425->427 428 995c01-995c05 CloseHandle 425->428 426->425 429 995d0d 426->429 427->428 432 995cea 427->432 433 995d37-995d41 428->433 432->428 436 995cf0-995cf6 432->436 434 995d4b-995d52 433->434 435 995d43 433->435 437 995d45-995d47 434->437 438 995d54 434->438 435->438 436->424 439 995c20-995c68 436->439 441 995d49 437->441 442 995d5f 437->442 441->434 441->442 443 995d65 442->443 443->443
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2965615833.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                                          Similarity
                                                          • API ID: CreateThread
                                                          • String ID:
                                                          • API String ID: 2422867632-0
                                                          • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                          • Instruction ID: e0bec9f308ab4e61039d39e5155d7732c80c334bdbdf0158e00e3f997bafe22b
                                                          • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                          • Instruction Fuzzy Hash: B9E0863060DF444FDF5B9B28981031A3AE5EB88310F1A05DEC44AD71D1DB6949058792
                                                          Function 0099599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 444 99599b-99599e 445 9959f7 444->445 446 995a02 445->446 448 99597d 446->448 449 9959d4 446->449 448->449 450 99597f-995981 448->450 451 9959d8-9959de 449->451 452 99593b-995a15 call 9b11a0 449->452 453 995983-995a38 450->453 458 9959e0 451->458 459 995994-99599c 451->459 453->459 461 995a3e 453->461 458->459 464 9959e2-9959ec 458->464 459->446 463 99599e 459->463 462 995a2c-995a34 461->462 467 9959d9-9959de call 9c2190 462->467 463->445 465 9959ee-9959ef 464->465 466 995a62-995a6e 464->466 465->453 468 9959f1 call 9c9970 465->468 469 995a70 466->469 470 995a75-995ab3 call 9b1280 466->470 467->458 467->459 480 9959b8 call 9b0df0 468->480 469->470 475 995a72 469->475 484 995abb-995ac9 470->484 485 995ab5 470->485 475->470 483 9959bd-9959c2 call 995d90 480->483 489 9959c7-9959ce 483->489 487 995af2-995af5 484->487 485->484 488 995ab7-995ab9 485->488 500 995adb-995adc 487->500 501 995ad5 487->501 488->484 490 995a1a-995a26 489->490 491 9959d0 489->491 490->462 493 9959a1-9959b5 call 995e10 490->493 491->490 494 9959d2 491->494 493->480 499 995a08-995a0b 493->499 494->467 499->459 504 995a0d 499->504 502 995ae2 500->502 503 995a45-995a46 500->503 501->500 505 995ad7-995ad9 501->505 502->503 506 995ae8 502->506 508 995991 504->508 509 995932 504->509 505->500 506->487 508->509 510 995993 508->510 510->459
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2965615833.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                                          Similarity
                                                          • API ID: wcscpy
                                                          • String ID:
                                                          • API String ID: 1284135714-0
                                                          • Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                          • Instruction ID: c1e66d732b224f527dca0f85ec48c694ce6112ecfa8866b0668fb00bc32206c6
                                                          • Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
                                                          • Instruction Fuzzy Hash: 3C01D66090EE80CFFF17A71C405537B6555B794330FAB095AA08ACB192C8384D009746
                                                          Function 00995BE2 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 511 995be2-995be5 512 995bfc-995c05 CloseHandle 511->512 513 995be7-995bef 511->513 520 995d37-995d41 512->520 514 995ca3 513->514 517 995ca8-995cb3 call 995e10 514->517 518 995ca5 514->518 527 995cb5 517->527 528 995d26 517->528 518->517 521 995ca7 518->521 522 995d4b-995d52 520->522 523 995d43 520->523 521->520 525 995d45-995d47 522->525 526 995d54 522->526 523->526 531 995d49 525->531 532 995d5f 525->532 527->528 529 995cb7 527->529 530 995d27-995d2a call 995910 528->530 533 995d5b-995d5d 529->533 537 995d2e 530->537 531->522 531->532 535 995d65 532->535 533->532 535->535 537->533
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2965615833.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                                          • Instruction ID: c7fd87fc302d6e764ba1acd5242ae77c03c2d1407103774133f0be078fa3d8da
                                                          • Opcode Fuzzy Hash: 5b5d7b071b63003723a190de38853bb16d482f491faa3db3b767200ea78fc1cb
                                                          • Instruction Fuzzy Hash: 01E0C27150CF0ACFEF57B61CC80927722C4D7283213270D218802D7150F41CCE066B12
                                                          Function 00998090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 538 998090-998096 539 998184 538->539 540 99818c-998192 539->540 541 998186 CloseHandle 539->541 542 998115-998118 540->542 543 998194 540->543 541->540 544 998119-99811a 542->544 545 9980a7 542->545 543->542 546 99819a 543->546 544->545 547 99811c 544->547 548 99813c 546->548 549 99820f 547->549 548->539 550 99808e-998096 549->550 551 998215-99821e 549->551 550->539 550->545 551->550 553 998224 551->553 554 9981d7-9981e6 call 9c715c 553->554 555 998226 553->555 565 998089 554->565 566 9980ca-99810f GetTokenInformation 554->566 555->554 556 998228-9982ee call 995d90 555->556 567 99830c-99831e 556->567 568 9982f0 556->568 565->566 570 99808b 565->570 571 99812d 566->571 572 998111 566->572 574 9982a1-9982ba call 995d90 call 99ec00 567->574 575 998320 567->575 568->567 573 9982f2 568->573 576 99808c 570->576 580 9980a8 571->580 581 998133 571->581 572->571 578 998113 572->578 579 9982f7-9982fc call 995d90 573->579 574->575 575->579 582 998322 575->582 576->550 578->542 599 998253-998265 call 9b1280 579->599 600 998302 579->600 584 9980aa-9980ad 580->584 581->548 586 9981ed-9981f0 581->586 582->579 587 998324-998326 582->587 589 998163-998170 call 9c7164 584->589 590 9980b3-998203 584->590 591 9980da-9980f1 586->591 592 9981f6 586->592 594 998328 587->594 589->541 610 998172 589->610 590->589 608 998209 590->608 591->584 592->591 598 9981fc 592->598 605 9982df-99832b 594->605 606 998335 594->606 604 9981fe-998201 GetTokenInformation 598->604 599->594 615 99826b 599->615 600->599 607 998308-99830a 600->607 604->549 623 9981b7 604->623 605->606 617 99832d-998331 605->617 614 99826e-998285 606->614 607->567 610->540 619 99829b-99829d 614->619 620 998287 614->620 615->614 622 998239 615->622 617->606 619->574 621 99824c 620->621 621->619 626 99824e-998252 621->626 622->594 624 99823f-998243 622->624 623->549 625 9981b9-9981ca 623->625 624->579 624->621 629 9981d0 625->629 630 9980f3 625->630 626->614 629->604 635 9980c3 629->635 630->576 632 9980f5 630->632 632->576 636 998077 632->636 635->604 637 9980c9 635->637 636->554 637->566
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2965615833.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                          • Instruction ID: 0ebfad7ed046831af2fc8c07419aed7eb621a9afe250e7e6715db5aeb8359688
                                                          • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                          • Instruction Fuzzy Hash: 32C04C6152D946966E79064C1C1B0B726589603755B1C084E9C0685220DE598E8351AB
                                                          Function 0099817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 638 99817f 639 998184 638->639 640 99818c-998192 639->640 641 998186 CloseHandle 639->641 642 998115-998118 640->642 643 998194 640->643 641->640 644 998119-99811a 642->644 645 9980a7 642->645 643->642 646 99819a 643->646 644->645 647 99811c 644->647 648 99813c 646->648 649 99820f 647->649 648->639 650 99808e-998096 649->650 651 998215-99821e 649->651 650->639 650->645 651->650 653 998224 651->653 654 9981d7-9981e6 call 9c715c 653->654 655 998226 653->655 665 998089 654->665 666 9980ca-99810f GetTokenInformation 654->666 655->654 656 998228-9982ee call 995d90 655->656 667 99830c-99831e 656->667 668 9982f0 656->668 665->666 670 99808b 665->670 671 99812d 666->671 672 998111 666->672 674 9982a1-9982ba call 995d90 call 99ec00 667->674 675 998320 667->675 668->667 673 9982f2 668->673 676 99808c 670->676 680 9980a8 671->680 681 998133 671->681 672->671 678 998113 672->678 679 9982f7-9982fc call 995d90 673->679 674->675 675->679 682 998322 675->682 676->650 678->642 699 998253-998265 call 9b1280 679->699 700 998302 679->700 684 9980aa-9980ad 680->684 681->648 686 9981ed-9981f0 681->686 682->679 687 998324-998326 682->687 689 998163-998170 call 9c7164 684->689 690 9980b3-998203 684->690 691 9980da-9980f1 686->691 692 9981f6 686->692 694 998328 687->694 689->641 710 998172 689->710 690->689 708 998209 690->708 691->684 692->691 698 9981fc 692->698 705 9982df-99832b 694->705 706 998335 694->706 704 9981fe-998201 GetTokenInformation 698->704 699->694 715 99826b 699->715 700->699 707 998308-99830a 700->707 704->649 723 9981b7 704->723 705->706 717 99832d-998331 705->717 714 99826e-998285 706->714 707->667 710->640 719 99829b-99829d 714->719 720 998287 714->720 715->714 722 998239 715->722 717->706 719->674 721 99824c 720->721 721->719 726 99824e-998252 721->726 722->694 724 99823f-998243 722->724 723->649 725 9981b9-9981ca 723->725 724->679 724->721 729 9981d0 725->729 730 9980f3 725->730 726->714 729->704 735 9980c3 729->735 730->676 732 9980f5 730->732 732->676 736 998077 732->736 735->704 737 9980c9 735->737 736->654 737->666
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2965615833.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_990000_elevation_service.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                          • Instruction ID: 6a90d42bd3a293ff1465b01179d1ac86244813da0b9dac14497396e5d752d484
                                                          • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                          • Instruction Fuzzy Hash: 5DC092A055C509876D38268C2C0A0B3355C8613760F0C481FEC068A360DE598D8351B2

                                                          Execution Graph

                                                          Execution Coverage:4.1%
                                                          Dynamic/Decrypted Code Coverage:97.8%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:93
                                                          Total number of Limit Nodes:5
                                                          execution_graph 5452 2245b87 CreateThread 5453 2245b1c 5452->5453 5458 2245810 5452->5458 5454 2245cdf CreateThread 5453->5454 5455 2245c01 5453->5455 5454->5455 5456 22454a0 5454->5456 5457 22454b5 5456->5457 5459 2245822 5458->5459 5556 2245347 5557 22452cb 5556->5557 5558 22453c4 GetSystemDefaultLangID 5557->5558 5560 22452b0 5557->5560 5559 2245475 5558->5559 5460 2245b00 5461 2245bba 5460->5461 5468 22552c0 5461->5468 5463 2245bc7 5467 2245bde 5463->5467 5473 2260080 5463->5473 5469 22552c6 5468->5469 5472 22552ce 5468->5472 5469->5472 5487 224e050 5469->5487 5472->5463 5475 2260089 5473->5475 5474 22603e0 GetComputerNameW 5474->5475 5475->5474 5476 2260181 VirtualFree 5475->5476 5477 224e050 VirtualAlloc 5475->5477 5478 22603bf GetUserNameW 5475->5478 5479 2245c7b 5475->5479 5480 22604d6 GetComputerNameW 5475->5480 5476->5475 5477->5475 5478->5475 5481 2248070 5479->5481 5480->5475 5482 2248075 5481->5482 5483 2248186 CloseHandle 5482->5483 5484 22481ad GetTokenInformation 5482->5484 5485 22480ca GetTokenInformation 5482->5485 5486 22480a7 5482->5486 5483->5482 5484->5482 5485->5482 5486->5467 5488 224e0c3 5487->5488 5489 224e0d8 VirtualAlloc 5488->5489 5489->5488 5507 2245860 5508 22552c0 VirtualAlloc 5507->5508 5509 2245869 5508->5509 5510 2260080 5 API calls 5509->5510 5511 224587d 5510->5511 5512 2248070 3 API calls 5511->5512 5513 2245870 5512->5513 5496 2245b42 5498 2245b07 5496->5498 5498->5496 5499 2245b68 5498->5499 5500 2245ccf CreateThread 5498->5500 5502 22452a0 5498->5502 5500->5499 5506 22454a0 5500->5506 5505 22452ab 5502->5505 5503 22452b0 5503->5498 5504 22453c4 GetSystemDefaultLangID 5504->5503 5505->5503 5505->5504 5569 22455ef 5571 22455ac 5569->5571 5572 22455e4 5571->5572 5573 2263870 5571->5573 5574 2263876 5573->5574 5576 2263893 5574->5576 5577 2263720 5574->5577 5576->5571 5578 2250c42 5577->5578 5578->5577 5579 224e050 VirtualAlloc 5578->5579 5580 22637dd 5578->5580 5579->5578 5580->5576 5580->5580 5535 2245b09 5536 2245b16 5535->5536 5537 2245cdf CreateThread 5536->5537 5538 2245c01 5536->5538 5537->5538 5539 22454a0 5537->5539 5525 22452f4 5528 22452cb 5525->5528 5526 22453c4 GetSystemDefaultLangID 5527 22452b0 5526->5527 5528->5526 5528->5527 5514 22452b7 5515 22452c4 5514->5515 5516 22452b0 5514->5516 5515->5516 5517 22453c4 GetSystemDefaultLangID 5515->5517 5518 2245475 5517->5518 5519 2248090 5523 2248075 5519->5523 5520 2248186 CloseHandle 5520->5523 5521 22481ad GetTokenInformation 5521->5523 5522 22480ca GetTokenInformation 5522->5523 5523->5520 5523->5521 5523->5522 5524 22480a7 5523->5524 5581 22457f0 5582 22455ac 5581->5582 5583 22455e4 5582->5583 5584 2263870 VirtualAlloc 5582->5584 5584->5582 5490 22481b1 5494 2248075 5490->5494 5491 2248186 CloseHandle 5491->5494 5492 22481ad GetTokenInformation 5492->5494 5493 22480ca GetTokenInformation 5493->5494 5494->5491 5494->5492 5494->5493 5495 22480a7 5494->5495

                                                          Executed Functions

                                                          Function 022452A0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 292 22452a0-22452a5 293 224532e-224533f 292->293 294 22452ab-22452f5 292->294 298 224536b-224536f 293->298 294->293 297 22452f7-22453fe 294->297 302 2280d4c-2280d4e 297->302 303 2245400-2245424 297->303 300 2245375-2245390 298->300 301 2245441-224544a 298->301 306 2245392-224539a 300->306 307 22453c3 300->307 314 22453c4-22453ca GetSystemDefaultLangID 301->314 315 2245450 301->315 308 224542a 303->308 309 224539b 303->309 306->309 308->309 313 2245430-224543e 308->313 311 2245413-2245419 309->311 312 224539d-22453a1 309->312 316 22453a7 312->316 317 22452b0-22452b5 312->317 313->301 318 2245475-224547b 314->318 324 2245411 315->324 325 22453c1 315->325 316->317 320 22453ad 316->320 318->302 322 22453f3-22453f9 320->322 323 22453af-22453f1 320->323 329 2245355 322->329 330 224532a 322->330 323->311 323->322 324->311 324->314 325->307 325->324 333 22452d1-22452e7 329->333 334 22452e8-2245363 329->334 330->329 331 224532c 330->331 331->293 333->334 337 2245365 334->337 338 22453d1-22453d5 334->338 337->338 340 2245367-2245369 337->340 338->312 339 22453d7 338->339 339->303 342 224534b 339->342 340->298 342->303 343 2245351-2245353 342->343 343->329
                                                          APIs
                                                          • GetSystemDefaultLangID.KERNELBASE ref: 022453C4
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1792430322.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2240000_maintenanceservice.jbxd
                                                          Similarity
                                                          • API ID: DefaultLangSystem
                                                          • String ID:
                                                          • API String ID: 706401283-0
                                                          • Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                          • Instruction ID: 42ac17646ce0ec3e9ec1f5510f4cd35864a242474146604aec6f194ae04f8d90
                                                          • Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
                                                          • Instruction Fuzzy Hash: FA41B45253DA964FD32E86E444643707F909B3226EFC904D7E4C29E0EEEFD848758726
                                                          Function 02260080 Relevance: 5.0, APIs: 3, Instructions: 466COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 2260080-2260286 2 226028c 0->2 3 2260099-2260575 0->3 4 2260445 2->4 7 2260155 3->7 8 226057b 3->8 4->3 6 226044b-2260457 4->6 10 2260458-2260472 GetComputerNameW 6->10 9 22602ef-2260495 call 224e050 * 2 7->9 8->7 11 2260581-2260587 8->11 9->10 52 226043e 9->52 15 22603ee-22603f4 10->15 16 226024c-2260253 10->16 13 226058b 11->13 18 2260181 VirtualFree 13->18 19 226058c-2260591 13->19 39 22600da-226023f 15->39 40 22603fa 15->40 23 22601e6 16->23 24 2260255 16->24 20 22601a8-22602ac call 2277164 18->20 21 2260597 19->21 22 22604ab-22604af 19->22 27 22602b1-22602be 20->27 21->22 30 226059d 21->30 49 22604c7 22->49 23->27 28 22601ec-2260313 call 227715c 23->28 31 22602d3 24->31 35 22602c4 27->35 36 22603bf-22603d9 GetUserNameW 27->36 55 2260318-226031e 28->55 30->22 31->23 38 22602d9 31->38 35->36 44 22602ca 35->44 45 2260331 36->45 38->9 39->16 53 2260241-226024a 39->53 40->39 46 2260400 40->46 44->31 50 2260337 45->50 51 2260171 45->51 54 226b1ee-226b49f 46->54 61 22604cc-22604e6 call 2279970 GetComputerNameW 49->61 50->51 58 226033d 50->58 56 2260173 51->56 57 226013f-2260146 51->57 52->4 53->16 53->27 59 2260324 55->59 60 2260568-226056b 55->60 62 2260230 56->62 57->13 63 22605d0-22605d9 58->63 59->60 65 226032a 59->65 60->61 69 2260131 61->69 70 22604ec-2260514 61->70 62->49 68 2260236-22605c2 62->68 63->54 65->45 68->49 74 22605c8-22605c9 68->74 72 2260137 69->72 73 2260089-226008c 69->73 70->60 72->73 77 226013d 72->77 73->20 76 2260092 73->76 74->63 76->20 78 2260098 76->78 77->18 77->57 78->3
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1792430322.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2240000_maintenanceservice.jbxd
                                                          Similarity
                                                          • API ID: ComputerName
                                                          • String ID:
                                                          • API String ID: 3545744682-0
                                                          • Opcode ID: a71ae9b16811adc73022ad3350357e15936bcd32632a6560717fc8edb7501c37
                                                          • Instruction ID: f7f75154a2f6e7ebd453807ad2fb3b95127d6acd7a1bf4c3db560dd41ed5dddb
                                                          • Opcode Fuzzy Hash: a71ae9b16811adc73022ad3350357e15936bcd32632a6560717fc8edb7501c37
                                                          • Instruction Fuzzy Hash: BFD1F432538B0A8BD728EF98D8497FAB7D1FB90310F08465ED846C7168DBB49785D6C2
                                                          Function 02248070 Relevance: 4.7, APIs: 3, Instructions: 236COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 79 2248070-224817e 81 2248180 79->81 82 224813d-22481a5 79->82 81->82 85 2248161 81->85 88 22481a7 82->88 89 22481bd-22481ca 82->89 87 2248163-2248170 call 2277164 85->87 93 2248186 CloseHandle 87->93 94 2248172 87->94 95 22481d0 89->95 96 22480f3 89->96 97 224818c-2248192 93->97 94->97 112 22480c3 95->112 113 22481fe-2248201 GetTokenInformation 95->113 98 22480f5 96->98 99 224808c 96->99 101 2248194 97->101 102 2248115-2248118 97->102 98->99 109 2248077 98->109 105 224808e-2248184 99->105 101->102 103 224819a 101->103 107 22480a7 102->107 108 2248119-224811a 102->108 103->82 105->93 105->97 108->107 114 224811c 108->114 115 22481d7-22481de call 227715c 109->115 112->113 117 22480c9 112->117 118 224820f 113->118 123 22481b7 113->123 114->118 124 22481e3-22481e6 115->124 122 22480ca-22480d8 GetTokenInformation 117->122 118->105 120 2248215-224821e 118->120 120->105 131 2248224 120->131 125 224810f 122->125 123->118 126 22481b9-22481bb 123->126 124->122 137 2248089 124->137 128 2248111 125->128 129 224812d 125->129 126->89 128->129 132 2248113 128->132 134 2248133-22481f0 129->134 135 22480a8 129->135 131->115 139 2248226 131->139 132->102 143 22481f6 134->143 144 22480da-22480f1 134->144 138 22480aa-22480ad 135->138 137->122 140 224808b 137->140 138->87 141 22480b3-2248203 138->141 139->115 142 2248228-22482ee call 2245d90 139->142 140->99 141->87 149 2248209 141->149 154 22482f0 142->154 155 224830c-2248320 call 2245d90 call 224ec00 142->155 143->144 145 22481fc 143->145 144->138 145->113 154->155 156 22482f2 154->156 158 22482f7-22482fc call 2245d90 155->158 171 2248322 155->171 156->158 164 2248302 158->164 165 2248253-2248265 call 2261280 158->165 164->165 168 2248308-224830a 164->168 172 2248328 165->172 173 224826b 165->173 168->155 171->158 174 2248324-2248326 171->174 178 2248335 172->178 179 22482df-224832b 172->179 173->172 177 224823f-2248243 173->177 174->172 177->158 182 2248287 178->182 183 224829b-224829d 178->183 179->178 184 224832d-2248331 179->184 182->183 186 224824e-2248252 182->186 184->178 186->165
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1792430322.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2240000_maintenanceservice.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7aba5bc73c5368664214373d784ef2a548d00c1ddc8eb6b6b5f00d205669205e
                                                          • Instruction ID: c2d05f4e2d512412845d06cb7d4664ef601367c137855becb28cd9ccc040f473
                                                          • Opcode Fuzzy Hash: 7aba5bc73c5368664214373d784ef2a548d00c1ddc8eb6b6b5f00d205669205e
                                                          • Instruction Fuzzy Hash: 79611120A3CA869FD76D8BE88C143367BA0FB45254F48565BD84BC71BCDFA4A844CB53
                                                          Function 02245910 Relevance: 1.9, APIs: 1, Instructions: 607COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 187 2245910-2245968 189 2245915-22459b8 call 2279970 call 2260df0 187->189 190 224596a 187->190 202 22459bd-22459c2 call 2245d90 189->202 190->189 194 2245931-225072c 190->194 197 2250806-2250809 194->197 198 2250732-2250738 194->198 207 225079d-22507a6 197->207 200 2250800 198->200 201 225073e 198->201 200->197 206 22506b3-22506b7 200->206 201->200 204 2250744-2250774 201->204 209 22459c7-22459ce 202->209 213 22506d5-22506d9 204->213 214 225077a-225081c 204->214 206->207 210 22506bd 206->210 211 2250791-2250793 207->211 212 22507a8 207->212 215 22459d0 209->215 216 2245a1a-2245a26 call 2245e10 209->216 210->207 217 22506c3-22507fe 210->217 218 22507ca-22507cc 211->218 212->211 219 22507aa 212->219 223 22506df 213->223 224 22506db 213->224 214->207 215->216 221 22459d2 215->221 240 2245994-224599c 216->240 241 2245a0d 216->241 217->200 219->218 226 22459d4-2245a15 call 22611a0 221->226 223->207 224->223 227 22506dd 224->227 227->223 232 225c0cc 227->232 233 225c0ce-225c0d0 232->233 234 225c0e8-225c102 232->234 237 225c0d2-225c0df 233->237 234->237 239 225c104 234->239 248 225c0e7 237->248 239->237 239->248 246 2245a02 240->246 247 224599e-22459f7 240->247 250 2245991 241->250 251 2245932 241->251 246->226 254 224597d 246->254 247->246 250->251 255 2245993 250->255 253 22459e4-22459ec call 22721ac 251->253 260 2245a62-2245a6e 253->260 261 22459ed 253->261 254->226 257 224597f-2245981 254->257 255->240 259 2245983-2245a38 257->259 259->240 266 2245a3e call 2272190 259->266 263 2245a75-2245ab3 call 2261280 260->263 264 2245a70 260->264 261->259 265 22459ee-22459ef 261->265 277 2245ab5 263->277 278 2245abb-2245ac9 263->278 264->263 268 2245a72 264->268 265->259 267 22459f1 265->267 266->240 279 22459e0 266->279 267->189 268->263 277->278 281 2245ab7-2245ab9 277->281 280 2245af2-2245af5 278->280 279->240 282 22459e2 279->282 286 2245ad5 280->286 287 2245adb-2245adc 280->287 281->278 282->253 286->287 288 2245ad7-2245ad9 286->288 289 2245a45-2245a46 287->289 290 2245ae2 287->290 288->287 290->289 291 2245ae8 290->291 291->280
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1792430322.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2240000_maintenanceservice.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8a678de662a63f360d272917e279b78a58a35c15b6fef688504f492f27f0c671
                                                          • Instruction ID: f570b8d002b4923fd6423f8427cc413e26b2d71bb35557919f31c9233414f9e1
                                                          • Opcode Fuzzy Hash: 8a678de662a63f360d272917e279b78a58a35c15b6fef688504f492f27f0c671
                                                          • Instruction Fuzzy Hash: C2F1673273CF594FC769A79C58443B973D2EB99310F88419AC08EC329DDE789996C782
                                                          Function 02245B42 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 344 2245b42-2245b47 call 2245d90 346 2245b4c-2245b52 344->346 348 2245c42-2245c62 call 2261280 346->348 349 2245b0d 346->349 360 2245c24 348->360 361 2245c68 348->361 349->348 350 2245b13 349->350 352 2245c8f-2245c96 350->352 354 2245c98-2245c9a 352->354 355 2245c29 352->355 357 2245c9c 354->357 358 2245cc2-2245cc9 call 22452a0 355->358 359 2245c2f-2245c36 355->359 365 2245d0e-2245d18 357->365 366 2245bfa 357->366 376 2245c69 358->376 377 2245ccb 358->377 359->358 364 2245c3c 359->364 367 2245c14-2245c19 360->367 368 2245c26 360->368 364->344 370 2245d54 365->370 371 2245d1a 365->371 366->365 372 2245c00 366->372 373 2245cc0 367->373 374 2245c20-2245c21 367->374 368->367 375 2245c28 368->375 382 2245d5f 370->382 380 2245d4b-2245d52 371->380 372->367 373->358 374->361 375->355 378 2245c6f 376->378 379 2245b68-2245d75 376->379 377->357 381 2245ccd 377->381 378->379 384 2245c75 378->384 380->370 385 2245d45-2245d47 380->385 381->357 386 2245ccf-2245ce4 CreateThread 381->386 387 2245d65 382->387 384->352 385->382 388 2245d49 385->388 390 2245c01-2245d41 386->390 391 2245cea 386->391 387->387 388->380 388->382 390->380 396 2245d43 390->396 391->390 392 2245cf0-2245cf6 391->392 392->374 396->370
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1792430322.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2240000_maintenanceservice.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78aedcdccd15af220d42ed819c4b664c14081a9f79ff40e3eae0dab4aa8d7420
                                                          • Instruction ID: 42470e25b421aa25fa675312b47a0354a302520edfea3addb5281ba10d5f1f50
                                                          • Opcode Fuzzy Hash: 78aedcdccd15af220d42ed819c4b664c14081a9f79ff40e3eae0dab4aa8d7420
                                                          • Instruction Fuzzy Hash: B6219F2023C646CFDB6E9BD8C44877826D1AF75318FC801A6D4C7CE1AECFA48A64C716
                                                          Function 02245B09 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 397 2245b09-2245d01 402 2245bb4-2245ce4 CreateThread 397->402 403 2245d07 397->403 408 2245c01-2245c05 402->408 409 2245cea 402->409 403->402 404 2245d0d 403->404 407 2245d37-2245d41 404->407 410 2245d43 407->410 411 2245d4b-2245d52 407->411 408->407 409->408 412 2245cf0-2245cf6 409->412 413 2245d54 410->413 411->413 415 2245d45-2245d47 411->415 417 2245d5f 413->417 415->417 418 2245d49 415->418 421 2245d65 417->421 418->411 418->417 421->421
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1792430322.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2240000_maintenanceservice.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                          • Instruction ID: 01d96df8f065316c1d10572f06e27c7eb4df1d238df26f864af457a817245eb5
                                                          • Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
                                                          • Instruction Fuzzy Hash: 9501A97013D64BCFDB6E4AE48C183796A90AF71628FD401AAD8C3CA09DDFE44624CB02
                                                          Function 02245B87 Relevance: 1.5, APIs: 1, Instructions: 23threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 422 2245b87-2245b99 CreateThread 423 2245b1c-2245b3b 422->423 424 2245cff-2245d01 422->424 423->424 425 2245bb4-2245ce4 CreateThread 424->425 426 2245d07 424->426 432 2245c01-2245c05 425->432 433 2245cea 425->433 426->425 427 2245d0d 426->427 431 2245d37-2245d41 427->431 434 2245d43 431->434 435 2245d4b-2245d52 431->435 432->431 433->432 436 2245cf0-2245cf6 433->436 437 2245d54 434->437 435->437 439 2245d45-2245d47 435->439 441 2245d5f 437->441 439->441 442 2245d49 439->442 445 2245d65 441->445 442->435 442->441 445->445
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1792430322.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2240000_maintenanceservice.jbxd
                                                          Similarity
                                                          • API ID: CreateThread
                                                          • String ID:
                                                          • API String ID: 2422867632-0
                                                          • Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                          • Instruction ID: 983d9687ce2dd8deb585b09ec522c13a409b31c3dd5a0dde2c3d8ea45cb42d33
                                                          • Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
                                                          • Instruction Fuzzy Hash: 21E0867063DB444FDB5E9F6498103193AE6FB98214F4501CEC48AD71DDCF7909158782
                                                          Function 0224599B Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 446 224599b-224599e 447 22459f7 446->447 448 22459b8 call 2260df0 446->448 450 2245a02 447->450 451 22459bd-22459c2 call 2245d90 448->451 454 22459d4-2245a15 call 22611a0 450->454 455 224597d 450->455 456 22459c7-22459ce 451->456 455->454 457 224597f-2245981 455->457 460 22459d0 456->460 461 2245a1a-2245a26 call 2245e10 456->461 462 2245983-2245a38 457->462 460->461 464 22459d2 460->464 468 2245994-224599c 461->468 476 2245a0d 461->476 462->468 469 2245a3e call 2272190 462->469 464->454 468->450 472 224599e 468->472 469->468 482 22459e0 469->482 472->447 480 2245991 476->480 481 2245932 476->481 480->481 484 2245993 480->484 483 22459e4-22459ec call 22721ac 481->483 482->468 485 22459e2 482->485 488 2245a62-2245a6e 483->488 489 22459ed 483->489 484->468 485->483 490 2245a75-2245ab3 call 2261280 488->490 491 2245a70 488->491 489->462 492 22459ee-22459ef 489->492 502 2245ab5 490->502 503 2245abb-2245ac9 490->503 491->490 494 2245a72 491->494 492->462 493 22459f1 call 2279970 492->493 493->448 494->490 502->503 505 2245ab7-2245ab9 502->505 504 2245af2-2245af5 503->504 509 2245ad5 504->509 510 2245adb-2245adc 504->510 505->503 509->510 511 2245ad7-2245ad9 509->511 512 2245a45-2245a46 510->512 513 2245ae2 510->513 511->510 513->512 514 2245ae8 513->514 514->504
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1792430322.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2240000_maintenanceservice.jbxd
                                                          Similarity
                                                          • API ID: wcscpy
                                                          • String ID:
                                                          • API String ID: 1284135714-0
                                                          • Opcode ID: 3490bab9a1fec10f496c8f24eaac10769b028ffe75d25190336d55c0437fa726
                                                          • Instruction ID: 902dda5af07a12a822a31af6fca956c166c9c65f937ceaae1b57be4e81e3b618
                                                          • Opcode Fuzzy Hash: 3490bab9a1fec10f496c8f24eaac10769b028ffe75d25190336d55c0437fa726
                                                          • Instruction Fuzzy Hash: 5B01F27063D7928FD67F9AD840002782652BB74328FD8045B90CA8B19DCEB84529CBC2
                                                          Function 02248090 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 515 2248090-2248096 516 2248184 515->516 517 224813c-22481a5 515->517 519 2248186 CloseHandle 516->519 520 224818c-2248192 516->520 529 22481a7 517->529 530 22481bd-22481ca 517->530 519->520 521 2248194 520->521 522 2248115-2248118 520->522 521->522 523 224819a 521->523 525 22480a7 522->525 526 2248119-224811a 522->526 523->517 526->525 528 224811c 526->528 531 224820f 528->531 536 22481d0 530->536 537 22480f3 530->537 532 2248215-224821e 531->532 533 224808e-2248096 531->533 532->533 540 2248224 532->540 533->516 548 22480c3 536->548 549 22481fe-2248201 GetTokenInformation 536->549 538 22480f5 537->538 539 224808c 537->539 538->539 546 2248077 538->546 539->533 544 2248226 540->544 545 22481d7-22481e6 call 227715c 540->545 544->545 547 2248228-22482ee call 2245d90 544->547 557 22480ca-224810f GetTokenInformation 545->557 564 2248089 545->564 546->545 568 22482f0 547->568 569 224830c-2248320 call 2245d90 call 224ec00 547->569 548->549 553 22480c9 548->553 549->531 560 22481b7 549->560 553->557 566 2248111 557->566 567 224812d 557->567 560->531 565 22481b9-22481bb 560->565 564->557 570 224808b 564->570 565->530 566->567 571 2248113 566->571 572 2248133-22481f0 567->572 573 22480a8 567->573 568->569 575 22482f2 568->575 578 22482f7-22482fc call 2245d90 569->578 603 2248322 569->603 570->539 571->522 582 22481f6 572->582 583 22480da-22480f1 572->583 576 22480aa-22480ad 573->576 575->578 580 2248163-2248170 call 2277164 576->580 581 22480b3-2248203 576->581 594 2248302 578->594 595 2248253-2248265 call 2261280 578->595 580->519 596 2248172 580->596 581->580 590 2248209 581->590 582->583 584 22481fc 582->584 583->576 584->549 594->595 600 2248308-224830a 594->600 604 2248328 595->604 605 224826b 595->605 596->520 600->569 603->578 606 2248324-2248326 603->606 610 2248335 604->610 611 22482df-224832b 604->611 605->604 609 224823f-2248243 605->609 606->604 609->578 614 2248287 610->614 615 224829b-224829d 610->615 611->610 616 224832d-2248331 611->616 614->615 618 224824e-2248252 614->618 616->610 618->595
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1792430322.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2240000_maintenanceservice.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                          • Instruction ID: 50c689170e0f53df1a9408712758eb0148abad6e2a2da2e97e53cff6665ada5c
                                                          • Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
                                                          • Instruction Fuzzy Hash: C7C04C65539997976A7E06C81D1B1F42650960A655B0C04579C0F8123CDF958A618197
                                                          Function 0224817F Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 619 224817f 620 2248184 619->620 621 2248186 CloseHandle 620->621 622 224818c-2248192 620->622 621->622 623 2248194 622->623 624 2248115-2248118 622->624 623->624 625 224819a-22481a5 623->625 626 22480a7 624->626 627 2248119-224811a 624->627 637 22481a7 625->637 638 22481bd-22481ca 625->638 627->626 629 224811c 627->629 631 224820f 629->631 632 2248215-224821e 631->632 633 224808e-2248096 631->633 632->633 639 2248224 632->639 633->620 645 22481d0 638->645 646 22480f3 638->646 640 2248226 639->640 641 22481d7-22481e6 call 227715c 639->641 640->641 643 2248228-22482ee call 2245d90 640->643 660 2248089 641->660 661 22480ca-224810f GetTokenInformation 641->661 664 22482f0 643->664 665 224830c-2248320 call 2245d90 call 224ec00 643->665 662 22480c3 645->662 663 22481fe-2248201 GetTokenInformation 645->663 649 22480f5 646->649 650 224808c 646->650 649->650 658 2248077 649->658 650->633 658->641 660->661 667 224808b 660->667 672 2248111 661->672 673 224812d 661->673 662->663 668 22480c9 662->668 663->631 676 22481b7 663->676 664->665 671 22482f2 664->671 675 22482f7-22482fc call 2245d90 665->675 706 2248322 665->706 667->650 668->661 671->675 672->673 677 2248113 672->677 679 2248133-22481f0 673->679 680 22480a8 673->680 693 2248302 675->693 694 2248253-2248265 call 2261280 675->694 676->631 683 22481b9-22481bb 676->683 677->624 690 22481f6 679->690 691 22480da-22480f1 679->691 684 22480aa-22480ad 680->684 683->638 687 2248163-2248170 call 2277164 684->687 688 22480b3-2248203 684->688 687->621 705 2248172 687->705 688->687 700 2248209 688->700 690->691 692 22481fc 690->692 691->684 692->663 693->694 701 2248308-224830a 693->701 708 2248328 694->708 709 224826b 694->709 701->665 705->622 706->675 710 2248324-2248326 706->710 714 2248335 708->714 715 22482df-224832b 708->715 709->708 713 224823f-2248243 709->713 710->708 713->675 718 2248287 714->718 719 224829b-224829d 714->719 715->714 720 224832d-2248331 715->720 718->719 722 224824e-2248252 718->722 720->714 722->694
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1792430322.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2240000_maintenanceservice.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                          • Instruction ID: c1b4902d2c3b7a387f761738b39c9a5c668c774d3cee85dcfb6560fd65ceda95
                                                          • Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
                                                          • Instruction Fuzzy Hash: 1FC092A597859B87693E26C82C0A0B13550460B664F0D4423EC0F8A37CDF984EA081A3